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Abstract 



Cryptography algorithm standards play a key role both to the practice of information security 
and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in 
short) are a family of (implicitly authenticated) Difhe-Hellman key-exchange (DHKE) protocols that 
I ' are widely standardized and deployed. In this work, from some new perspectives and approaches and 

y—i , under some new design rationales and insights, we develop a new family of practical implicitly authcn- 

' ticated DHKE protocols, which enjoy notable performance among security, privacy, efficiency and 

easy deployment. We make detailed comparisons between our new DHKE protocols and (H)MQV, 
O ' showing that the newly developed protocols outperform HMQV in most aspects. Along the way, 

, guided by our new design rationales, we also identify a new vulnerability of (H)MQV, which brings 

' some new perspectives (e.g., session- key computational fairness) to the literature. 

1 Introduction 

DifRe-Hellman key-exchange (DHKE) protocols are at the root of public-key cryptography, and are 
one of the main pillars of both theory and practice of cryptography [T3]. Among them, the (H)MQV 
^ [ protocols [m SOI [371 HS] ai'e among the most efficient DHKE protocols that provide (implicit) mutual au- 
thentications based upon public-key cryptography, and are widely standardized [H [5| [3 ^ [35 | H9 | [50 | [56] . 
In particular, it has been announced by the US National Security Agency as the key exchange mecha- 
J> , nism underlying "the next generation cryptography to protect US government information", including 
the protection of "classified or mission critical national security information" [501 [37] . 

Despite its seemingly conceptual simplicity, designing "sound" and ^^right" DHKE protocols turns 
out to be extremely error prone and can be notoriously subtle, particularly witnessed by the evolution 
[ history of (H)MQV [HI [361 [Ml [371 US]- Also, the analysis of even a simple cryptographic protocol in 
■ intricate adversarial settings like the Internet can be a luxury and dauntingly complex task [111 137] . 
The reason for this is the high system complexity and enormous number of subtleties surrounding the 
design, definition and analysis of DHKE protocols. Given the intensive investigation of (H)MQV both 
from cryptography theory research and from industrial engineering, it may be commonly suggested that 
^ ■ the state-of-the-art of (H)MQV, commonly viewed as the best available in the integrity of security and 
, protocol efficiency, should hardly be broken. 

In this work, we start with investigating highly practical mechanisms in the random oracle (RO) 
model, referred to as non-malleable joint proof-of-knowledge (NMJPOK) for presentation simplicity, 
for proving DH-knowledges, say both the secret-key and the DH-exponent, jointly and non-malleahly 
in concurrent settings like the Internet. In light of this line of investigations, we develop a new family 
of practical implicitly authenticated DHKE protocols, referred to as OAKE and single-hash CAKE 
protocols, which enjoy notable performance among security, privacy, efficiency and easy deployment. 
For presentation simplicity, we refer to the newly developed DHKE protocols as (s)OAKE. We then 
compare and justify (s)OAKE protocols with (H)MQV in detail, which shows that our new protocols 
outperform HMQV in most aspects. Detailed comparisons are listed in Section [4] after motivating the 
design rationales and building tools and after presenting the detailed OAKE specifications. Guided 
by our new design rationales, in this work we particularly identify a new vulnerability of (H)MQV 
beyond the Canetti-Krawczyk (CK) framework, which brings some new perspectives (e.g., session- key 



in 



o 



'Institute for Interdisciplinary Information Sciences, Tsinghua University, Beijing, China. 
andrewcyaoOtsinghua . edu . cn 

t Contact author. Software School, Fudan University, Shanghai 200433, China. ylzhao@fudan.edu.cn 
^There are two acronym interpretations of OAKE. One interpretation is: (Online) Optimal (implicitly) Authenti- 
cated (Diffie-Hellman) Key-Exchange. Another interpretation is: (Toward) Optimally-balanced (implicitly) Authenticated 
(DifRe-Hellman) Key- Exchange (in the integrity of protocol efficiency, security, privacy and easy deployment). 



computational fairness) to the literature. We do not know how to fix (H)MQV against this newly 
identified vulnerability without sacrificing the provable security in the CK framework and many more 
other advantages enjoyed by (s)OAKE (with details referred to Section . which also further justifies 
and highlights the careful design of (s)OAKE. 

We suggest the developed (s)OAKE protocols are themselves a clear witness to the usefulness of 
the new design rationales and building tool with NMJPOK, as (s)OAKE aims for an alternative of 
(H)MQV that is widely standardized and deployed and as with the new design rationales we can 
identify some new vulnerabilities bringing new perspectives to the literature of DHKE. But at the same 
time, the new design rationales and building tools, developed for (s)OAKE, can also be of independent 
interest, and may trigger more applications. In particular, based on this work, in a subsequent separate 
work we present the definition and candidates of non-malleable extractable one-way functions (NME- 
OWF), which can be viewed as pairing-based NMJPOK without random oracles, and demonstrate the 
applications of NME-OWF to both theory (e.g., 3-round concurrent non-malleable zero- knowledge, etc) 
and applications (e.g., ID-based cryptography, etc) of cryptography. 

2 Preliminaries 

Notations: If ^ is a probabilistic algorithm, then A{xi,X2, ■ ■ ■ ; r) is the result of running A on inputs 
xi,X2, - ■ ■ and coins r. We let y ^ A{xi,X2, • • • ;r) denote the experiment of picking r at random and 
letting y be A{xi,X2, • • • ; r). If S is a finite set then x 5, sometimes also written as x S, is the 
operation of picking an element uniformly from S. If a is neither an algorithm nor a set then x a is 
a simple assignment statement. 

Let G' be a finite Abelian group of order A^, G be a subgroup of prime order q in G'. Denote by g 
a generator of G, by Iq the identity element, by G \ 1g = G — {Ic} the set of elements of G except 
1(5 and by i = — the cofactor. In this work, we use multiplicative notation for the group operation 
in G' . We assume the computational Diffie-Hellman (CDH) assumption holds over G, which says that 
given X = g^,Y = -(^ G (i.e., each of x and y is taken uniformly at random from Zq) no efficient 
(say, probabilistic polynomial-time) algorithm can compute CDH(X,Y) = g^^ . Let {A = g"',a) (resp., 
{X = g^,x)) be the public-key and secret-key (resp., the DH-component and DH-exponent) of player 
A, and {B = g^,b) (resp., {Y = g^,y)) be the public-key and secret-key (resp., the DH-component and 
DH-exponent) of player B, where a,x,b,y are taken randomly and independently from Z*. (H)MQV is 
recalled in Figure [J (page H]) , and the (H)MQV variants are recalled in Appendix [Aj where on a security 
parameter k Hk (resp., h) is a hash function of A;-bit (resp., /-bit) output and / is set to be \q\/2. 

Gap DifRe-Hellman (GDH) assumption |51| . Let G be a cyclic group generated by an element 
g, and a decision predicate algorithm O be a {full) Decisional Diffie-Hellman (DDH) Oracle for the group 
G and generator g such that on input {U,V,Z), for arbitrary iU,V) € G^, oracle O outputs 1 if and 
only if Z = GDH{U,V). We say the GDH assumption holds in G if for any polynomial-time CDH 
solver for G, the probability that on a pair of random elements {X, y) G the solver computes the 
correct value CDH{X,Y) is negligible, even when the algorithm is provided with the (full) DDH-oracle 
O for G. The probability is taken over the random coins of the solver, and the choice of X, Y (each one 
of them is taken uniformly at random in G). 

Knowledge-of-Exponent Assumption (KEA). Informally speaking, the KEA assumption says 
that, suppose on input {g,G = g^), where c is taken uniformly at random from Z*, a probabilistic 
polynomial-time (PPT) algorithm A outputs (Y, Z = Y'^) G G^, then the discrete logarithm y oiY = g^ 
can be efficiently extracted from the input (5, G) and the random coins used by A. The formal definition 
is referred to Definition IG.3I (page I39p . In other words, given (g,G = g'^) the "only way" to produce 
(y, Z = Y^) is to choose y and compute {Y = g^ , Z = G^). The KEA assumption is derived from 
the CDH assumption, and is a non-black-box assumption by nature [7]. The KEA assumption was 
introduced in [l7], and has been used in many subsequent works (e.g., [32l [8l [71 [19l [371 (13 [20]; etc). 
In particular, the KEA assumption plays a critical role for provable deniability of authentication and 
key-exchange (e.g., [T91I371I20]). 

Simultaneous exponentiation. Given two generators gi,g2 G G and two values x,y ^ Zq, 



the computation of ^ff/l amounts to about 1.3 exponentiations by the simultaneous exponentiation 
techniques p| [30l[22]. 

3 Design of (s)OAKE: Motivation, Discussion and Specification 

We consider an adversarial setting, where polynomially many instances (i.e., sessions) of a Difhe-Hehman 
protocol {A, B) are run concurrently over an asynchronous network like the Internet. To distinguish 
concurrent sessions, each session run at the side of an uncorrupted player is labeled by a tag, which is the 
concatenation, in the order of session initiator and then session responder, of players' identities/public- 
keys and DH-components available from the session transcript. A session-tag is complete if it consists 
of a complete set of all these components. 

In this work, we study the mechanisms, in the random oracle (RO) model, for non-malleahly and 
jointly proving the knowledge of both b and y w.r.t. a challenge DH-component X between the prover 
B (of public-key B = and DH-component Y = g^) and the verifier A (who presents the challenge 
DH-component X = g^), where b,y,x € Z*. For presentation simplicity, such protocol mechanism is 
referred to as JPOK{b,y). Moreover, we look for solutions of JPOK(^ y^ such that JPOKf^y^ can be 
efficiently computed with one single exponentiation by the knowledge prover. Note that the tag for a 
complete session of JPOK^^y^ is {A,B,B,X^Y). The possibility of JPOK^^y^ without ROs (based 
upon pairings) is left to be studied in a subsequent separate paper. Throughout this work, we use a 
hash function /i, which is modeled as a random oracle, and we denote by the output length, i.e., Z, of /i 
as the security parameter. 

One naive solution of JPOK^^^y-^ is just to set JPOK^^y-^ = X^ ■ Xy = X^'^y . But, such a naive 
solution is totally insecure, for example, an adversary A can easily impersonate the prover B and pre- 
determine JPOK^p y-^ to be 1g, by setting Y = B^^ . The underlying reason is: A can malleate B and 
Y into Xy~^^ by maliciously correlating the values of y and b, but actually without knowing either of 
them. A further remedy of this situation is to mask the exponents b and y by some random values. 
In this case, the proof is denoted as JPOK^i^y-^ = X'^^'^'^y , where d and e are random values (e.g., 
d = h{X,B) and e = h(Y,A) as in HMQV in the RO model). The intuition with this remedy solution 
is: since d and e are random values, db and ey are also random (even if the values Y and B, and thus 
the values of y and b, may be maliciously correlated). This intuition however turns out also to be wrong 
in general. With the values d = h(B,A) and e = h(X,B) as an illustrative example, after receiving X 
an adversary A can generate and send Y = B~'^/^, and in this case JPOK^^^y-^ = X'^^'^^y = Iq- This 
shows that masking b and y by random values is also not sufficient for ensuring the non-malleability of 
JPOK(^ yy The key point here is that the values db and ey are not necessarily independent, and thus 
a malicious prover can still make the values db and ey correlated. This line of investigations bring us 
to the following two candidates for non-malleable joint proof-of-knowledge (NMJPOK) of both b and y 
w.r.t. X, under the preference of on-line efficiency and minimal use of RO. More details are referred to 
Appendix [BJ 

• NMJPOK: NMJPOK^t„y) = X'^^+^'v , where d = h{B,X) and e = h{X,Y); 

• Single-hash NMJPOK (sNMJPOK): sNMJPOK^h^y-j = X'^^+'^y, where d = 1 and e = h{B,X,Y). 

Below, we provide some informal justifications of NMJPOK and sNMJPOK , by avoiding intro- 
ducing and employing some cumbersome terminologies for easier interpretation. Formal treatments are 
referred to Appendix [Bj Informally speaking, the underlying rationale of NA^JPOK^^y^ is: given a 
random challenge X, no matter how a malicious B chooses the values Y = gy and B = g^ (where y and 
b can be arbitrarily correlated), it actually has no control over the values db and ey in the RO model 
(by the birthday paradox). That is, it is infeasible for a malicious B to set db (resp., ey) to some pre- 
determined value, which may be determined by ey (resp., db) via some predetermined polynomial-time 
computable relation TZ, with non-negligible probability in the RO model in order to make the values db 
and ey correlated. Alternatively speaking, given a random challenge X, it is infeasible for a malicious 
B to output B = g^ and Y = gy such that the values db and ey satisfy some predetermined relation TZ 
with non-negligible probability in the RO model. 
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(H)MQV : A'^ = (yB«)-^+rf«, A'^ = (XA'^)v+''^, K = Hk{K^) = Hk{B) 

MQV : d = 2' + (X mod 2'), e = 2' + (F mod 2'), / = \q\/2 
HMQV : d = h{X, B),e = h{Y, A), I = \q\/2 

(s)OAKE: = 5-'*^-+-, = K = Hk(K^) = Hk{K^) 

PAKE : c = h{A,A,Y), d = h{B,B,X), e = h{X,Y), \q\ 
sOAKE: c = d = l, e = h{A,A,B,B,X,Y), l^\q\ 



Figure 1: Specifications of (H)MQV and (s)OAKE 

The situation witli sNMJPOK^^^ y-^ is a bit different. Though as in NMJPOK(p y-^, the mahcious B 
is infeasible to set ey to a predetermined value, B can always set the value db = b at its wish as d = 1 for 
sNMJPOK^fj yy But, B is still infeasible to set the value b correlated to ey = h{B, X, Y)y, particularly 
because the value B is put into the input of e. Specifically, for any value B = set by B, with the 
goal of making b and ey correlated, the probability that the values ey = h{B, X,Y)y and b satisfy 
some predetermined (polynomial-time computable) relation TZ is negligible in the RO model (by the 
birthday paradox). In particular, the probability that Pr[6 = /(ey)] or Pr[/(5) = ey], where / is some 
predetermined polynomial-time computable function (that is in turn determined by the predetermined 
relation TZ), is negligible in the RO model, no matter how the malicious 13 does. 

Note that NMJPOK(^b,y) = X'^^+^'V = {B'^V'Y , where d = h{B,X) and e = h{X,Y), actually can 
be used to demonstrate the knowledge of x. The key observation now is: in order for A to additionally 
prove the knowledge of its secret-key o, we can multiply X'^'^+'^y by another POK for c = h{A, Y). 
This yields = ^'^^yca+ex ^ ^cy^dh+ey ^ j^^^ ^Yieie (resp., K^) is computed by A (resp., 

B) respectively. As we aim for secure DHKE protpcols in concurrent settings like the Internet, we 
let the values and commit to the complete session tag by putting users' identities into the 
inputs of d and/or e, which particularly ensures the "key-control" property of [ID] for DHKE. All the 
observations are boiled down to the OAKE protocol, which is depicted in Figure [H The version derived 
from sNMJPOK, referred to as single-hash OAKE (sOAKE), is also depicted in Figure [TJ Note that the 
output length of h, i.e., /, is set to be \q\/2 in (II)MQV, but approximately |g| in OAKE and sOAKE 
protocols. In particular, with the (s)OAKE protocol family, h and Hk (that is used for deriving the 
session-key K) can be identical. Also note that, for (s)OAKE, A (resp., B) can offline pre-compute 
X and B'^^ (resp., Y and A^y). Some (s)OAKE variants are given in Appendix O We also highlight 
another property, called tag-based self-seal (TBSS), of (s)OAKE in the RO model: given any complete 
session tag [A, A, B, B, X, Y) and any q € G \ Iq, Pr[K^ = = a] < 2131 ) where the probability is 
taken over the choice of the random function of h (see more discussions on TBSS in Appendix IB]) . 

Notes on subgroup tests in (s)OAKE. The basic technique to check the DH-component, e.g. 
X, is in G is to verify X'^ = Iq (and X G' \ Iq) that needs performing one modular exponentiation. 
But, if the cofactor t is small, e.g., G' = Z"^ such that = 2g + 1 or G is the subgroup of an elliptic 
curve over a finite field (in this case the cofactor t is usually a small constant), the subgroup test of 
X can be essentially reduced to: (1) check X G G'; (2). X^ / l^. In general, checking X & G' and 
X* 7^ 1g guarantees that X is not in a (small) subgroup of G' with the order that is a factor of t, but it 
does not fully guarantee X £ G (e.g., considering that X = —g^). This leads to the following (s)OAKE 
variant with embedded subgroup tests, in which the values K^,K^ are set to be: = ^j'^^itycat+ext 



group test is performed as follows: each player first verifies that its 
peer's DH-component is in G' , and then acts in accordance with one of the following two cases. 

Uase-l. If S'^^* and y'^^i+e^-* (resp., A'^y^ and x^^^+i^y*) are computed separately, particularly when 
j^dxt ^^Qgp_^ A'^y^) is offline pre- computed by A (resp., B), A (resp., B) checks that y™*+<^^* ^ l,^ 
(resp., / 

Case-2. In case of no separate computation, A (resp., B) verifies ^ \q (resp., Kj^ ^ Iq)- Note that 
the checking of Kj^ ^ Iq and Kj^ ^ Ic, as done in MQV, does not fully guarantee X* ^ Iq or 
y* 7^ 1g, but it still provides reasonable assurance in the elliptic curve setting as clarified above. 

We remark that the embedded subgroup test in Case-1, well supported by (s)OAKE, provides stronger 
security guarantee than that in Case-2 as done in (H)MQV. Note that (H)MQV cannot offline pre- 
compute the values B^ and A'^ to ease the more robust Case-1 embedded subgroup test. We note that 
the damage caused by ignoring the subgroup test of peer's DH-component (but still with the supergroup 
G' membership check) can be much relieved (and even waived), if the ephemeral private values generated 
within the protocol run are well-protected. More notes on the subgroup test, and on the ephemeral 
private values that can be exposed to adversary, are referred to Appendix [Pl 

4 Advantageous Features of (s)OAKE 

Efficiency advantages. The online computational complexity of (s)OAKE can remarkably be only 
1 exponentiation at each player side (with embedded subgroup test), which is optimal for DHKE. 
Specifically, the value B'^^^ (resp., A'^^^) can be offline pre-computed by A (resp., B). In comparison, 
(H)MQV cannot offline pre-compute the values B^ and to improve online efficiency, and thus the 
online efficiency of (II)MQV is about 1.3 exponentiations. 

The total computational complexity of (s)OAKE is essentially the same as that of (II)MQV, with 
sOAKE being still slightly more efficient than HMQV. In particular, by the simultaneous exponentiation 
techniques [43 1 [30} [22], each player in (H)MQV and (s)OAKE performs about 1.3 exponentiations 
in computing or K^. But, the computation of (resp., K^) of HMQV is still slightly more 
inefficient than that of sOAKE with a single hash. For example, to compute K^, besides the same 
other operations needed for simultaneous exponentiations, HMQV (resp., sOAKE) needs to compute 
{d, e, x -|- da, e{x + da)} (resp., only {e, a + xe}). 

On the same subgroup order g, (s)OAKE ensures more robust resistance to collision attacks against 
the underlying hash function h than HMQV, as the output length of /i, i.e., is set to be \q\/2 for 
HMQV but \q\ for (s)OAKE. To strengthen its security, some standards specify larger subgroups (e.g., 
\q\ = 255 in [50]) to use for HMQV. However, in memory-restricted environments (like smart-cards or 
other portable electronic tokens), subgroup size is an influential parameter in favor of a given algorithmic 
solution. 

Reasonable deniability. For key-exchange protocols, both security and privacy are desired, which 
would also have been being one of the major criteria underlying the evolution of a list of important 
industrial standards of DHKE (e.g., Internet key-exchange). Among privacy concerns, deniability is an 
essential privacy property, and has always been a central concern in personal and business communica- 
tions, with off-the-record communication serving as an essential social and political tool |19[ I20j. The 
reader is referred to |19[ [20] for a list of scenarios where deniability is desirable. (Needless to say, there 
are special applications where non-repudiable communication is essential, but this is not the case for 
most of our nowaday communications over Internet |19[ [20] where deniable authentication is much more 
desirable than non-repudiable authentication.) 

A 2-round implicitly authenticated DHKE protocol is defined to be of reasonable deniability, if the 
session-key can be computed merely from the ephemeral DH-exponents without involving any player's 
static secret-key. Note that we cannot count on DHKE with implicit authentication, like (H)MQV and 
(s)OAKE, to enjoy full-fledged deniability (zero-knowledge). It is clear that (s)OAKE enjoys reasonable 
deniability, as the session- key of (s)OAKE can be computed merely from the DH-exponents x and y, 
which is useful to preserve privacy for both protocol players. Note that (H)MQV is not reasonably 



deniable, as the use of the session-key of (H)MQV can be traced back to the group of the two players 
particularly in view that the value involved in the session-key computation. 

Modular, parallel and post-ID computability. First note that B'^^ , yca+eo, ^^^^ ^.j^g explicit 
sub-group test y by A (resp., A^^, X'^^^'^y and X'^ by B) can be computed in a parallel, modular 
and post-ID way, which allows for various trade-offs among security, privacy and efficiency for the 
deployment of (s)OAKE in practice. Specifically, the offline pre-computability of B'^^ and A^^ eases 
more efficient explicit subgroup test by computing and (resp., X'^^^'^y and X^) in parallel that 

amounts to about 1.2 exponentiations. Also, as clarified, offiine pre-computability of A'^'^ (resp., B'^^) 
allows the above more robust Case-1 embedded subgroup test of (resp., y™t+ext^^ Observe 

that, for OAKE, y^a+ex ^j-ggp^^ j^dh+ey^ Computed before learning peer's identity and public- 

key information. Such a post-ID computability, besides reasonable deniability, is useful for privacy 
preserving [15]. (H)MQV does not support such offiine pre-computability and post-ID computability. 

Ease deployment with lower-pow^er devices. As we shall see in Section 14.21 and Appendix 
IH.H (s)OAKE (with offiine pre-computation to an almost maximum extent) well supports the public 
computation model [39] (while (H)MQV does not), which is desirable for deploying KE protocols with 
authentication devices of limited computational ability in hostile computing environments. (s)OAKE 
allows smaller parameter \q\ than HMQV (in resistance to collision attacks against /i), which is important 
for deployment with memory-restricted devices (like smart-cards or other portable electronic tokens). 

Minimal setup. (s)OAKE does not mandate proof of possession/knowledge (POP/K) of secret-key 
during public-key registration, while POP/K is now commonly assumed for MQV. POP/K is explicitly 
abandoned in HMQV, however as we shall see, there exists a way to maliciously asymmetrically compute 
the session-key of HMQV without knowing either static secret-key or ephemeral DH-exponent. 

4.1 Security in the CK- Framework 

At a high level, the design rationale of (s)OAKE is new, with NMJPOK as the core building tool. The 
design of MQV is based on implicit signatures [H]. The design of HMQV is based on Hashed Dual 
challenge-Response (HDR) signatures and Hashed Challenge-Response (HCR) signatures, which are in 
turn based on Dual Challenge-Response (DCR) and exponential Challenge-Response (XCR) signatures. 
To further justify the robustness of the NMJPOK-based (s)OAKE protocols, we will show (in Section[5|) 
that (s)OAKE can also be casted in terms of HDR signatures. Moreover, in comparison with the HDR 
signature implied by HMQV (referred to as HMQV-HDR), the HDR signatures implied by (s)OAKE, 
referred to as (s)OAKE-HDR/HCR, are both online efficient (i.e., only one online exponentiation) and 
strongly secure (by providing stronger secrecy exposure capability to the signature forger and posing 
more stringent forgery success condition). 

In the CK-framework for a DHKE protocol, a concurrent man-in-the-middle (CMIM) adversary A 
controls all the communication channels among concurrent session runs of the KE protocol. In addition, 
A is allowed access to secret information via the following three types of queries: (1) state-reveal queries 
for ongoing incomplete sessions; (2) session-key queries for completed sessions; (3) corruption queries 
upon which all information in the memory of the corrupted parties will be leaked to A. A session 
{A,B,X,Y) is called exposed, if it or its matching session [B,A,Y,X) suffers from any of these three 
queries. The session-key security (SK-security) within the CK-framework is captured as follows: for any 
complete session (A, B, X, Y) adaptively selected by A, referred to as the test session, as long as it is 
unexposed, with overwhelming probability it holds that (1) the session-key outputs of the test session 
and its matching session are identical; (2) A cannot distinguish the session-key output of the test session 
from a random value. 

At a first glance, as (s)OAKE is of reasonable deniability (i.e., the session- key can be computed 
merely from x and y), (s)OAKE may not be secure in the CK-framework. However, this does not 
pose a problem for probable security within the CK-framework, where the test-session is required to 
be unexposed. Actually, as we shall see, the provable security of (s)OAKE within the CK-framework 
assumes much stronger secrecy exposure than HMQV. If one wants to sacrifice privacy for seemingly 
stronger security against exposure of both x and y even for the test-session, one can use the protocol 
variant of robust (s)OAKE proposed in Appendix [C] that is also provably secure in the CK-framework. 



The only difference between robust (s)OAKE and (s)OAKE is that, the values and Kj^ in robust 
(s)OAKE are set to be: = 5«+3;rfyac+xe ^^^^ ^ j^b+ycxbd+ye _ g^^^ discussed in Appendix [H 
the security advantage of robust (s)OAKE over (s)OAKE is insignificant, and from our view (s)OAKE 
achieves much better balance between security and privacy than the robust (s)OAKE variant. 

For provable SK-security within the CK-framework, denote by {A,B,X,Y) the test-session, we 
show both OAKE and sOAKE (actually their weaker public-key free variants with players' public-keys 
removed from the inputs of c,d,e), with pre-computed and exposed DH- components, DH-exponents and 
the values A'^^ 's and B'^^ 's (which renders much stronger secrecy exposure capability to attacker than 
HMQV within the CK-framework), are SK-secure in the RO model, under the following assumptions 
(with proof details referred to Section [5] and Appendix [G]): 

• The GDH assumption, in case A ^ B (which is also the most often case in practice). We note 
that, whenever the DH- exponent is generated and exposed during a session-run without offline 
pre- computation prior to the session run, OR, there exists an honest player whose public DH- 
component for a session is offline pre-computed and exposed prior to the session run (no matter 
whether the secret DH- exponent is exposed or not), the security of HMQV is based on both the 
GDH assumption and the KEA assumption. That is, for this most often case A ^ 13, (s)OAKE 
not only allows more powerful secrecy leakage but also is based on weaker assumptions than 
HMQV. 

• The CDH assumption, in case A = B and X = Y . 

• The GDH assumption and the KEA assumption, in case A = B and X ^ Y (the security of 
HMQV is based on the same assumptions in this case). 

As stressed in [37], security against exposed DH-exponents is deemed to be the main and prime concern 
for any robust DHKE, and security against exposed offline pre-computed values (particularly, the DH- 
components) is important to both lower-power devices and to high volume servers [37]. The reason is, as 
pointed out in [37], many applications in practice will boost protocol performance by pre-computing and 
storing values for later use in the protocol. In this case, however, these stored values are more vulnerable 
to leakage, particularly when DHKE is deployed in hostile environments with plagued spyware or virus 
and in view of that the offline pre-computed DH-components are much less protected in practice as they 
are actually public values to be exchanged in plain. 

In addition, (s)OAKE enjoys the following security advantages: (1) tighter security reduction of 
sOAKE than HMQV (discussed in Appendix IG. 21 and IG.3|) : (2) more robust embedded subgroup test 
supported by offline pre-computability of A'^'^ and B'^^ (as clarified above); Due to space limitation, 
more discussions on the security of (s)OAKE vs. (H)MQV are given in Appendix [El 

For (s)OAKE, putting public-keys into the input of c,d,e are necessary in order to ensure non- 
malleable joint proof-of-knowledge of both (a, x) (resp., {b,y)) by player A (resp., 13), as clarified with 
the development of (s)OAKE based on the underlying building tool of NMJPOK in Section [3] and 
Appendix [BJ But, as we shall see below (by concrete attacks), the SK-security in accordance with the 
CK-framework does not ensure joint proof-of-knowledge of (a, x) or (b, y). This is also the reason that we 
can prove the SK-security of (s)OAKE w.r.t. the public-key free variant. Next, we show that (s)OAKE 
also enjoys essential advantages over (H)MQV beyond the CK-framework. 

4.2 Security Beyond the CK-Pramework 

A new perspective to DHKE: exponent-dependent attacks (EDA) on (H)MQV, and the 
introduction of computational fairness. In this work, we identify EDA attacks against (H)MQV, 
which causes computational unfairness between malicious users and honest users in the sense that an 
adversary can compute the shared DH-secret with an honest player in an asymmetric way. We then 
discuss the implications and damages caused by EDA attacks, and then introduce a new security notion 
called ^^computational fairness" for authenticated DHKE protocols. 

Given a value X € G for which the malicious player A (e.g., a client) does not necessarily know 
the discrete logarithm of X, A computes d and sets A = X""^ ■ where t ^ Zq and d = h{X, B) for 



HMQV OT d = 2^ + {X mod 2') for MQV. Note that XA'^ = X{X~'^ ^ ■ g^f = XX'^g^'^ = g^'^, and 
the shared DH-secret now is = {XA'^)y~^^^ = g^^^y gtdeb _ y^dQide^ ^g^^j such an attack exponent 
dependent attack. If A sets t = then the shared DH-secret is always 1^. If A sets t = d~^, then 

= YB^. For ah these two specific cases, the value can be publicly computed (without involving 
any secret values). In any case, the computational complexity in computing the shared DH-secret 
by the malicious A is much lesser than that by its peer B, which clearly indicates some unfairness. In 
general, the malicious A can honestly generate its public-key A = g"" and compute the session-keys, thus 
explicitly requiring POP/K of secret-key during public-key registration and explicit key-confirmation 
and mutual authentication (as required by the 3-round (H)MQV) do not prevent the above attacks. As 
there are many choices of the value t by the adversary in different sessions, explicitly checking whether 
the shared DH-secret is YB*^ also does not work. The above attacks can also be trivially modified 
(actually simplified) to be against the one-round HMQV variant. We stress that such attacks do not 
violate the security analysis of HMQ V in \37^ , as they are beyond the CK framework. 

We note that MQV (with embedded subgroup membership test of peer's DH-component) explicitly 
checks the shared DH-secret is not Ic, and thus the attack with t = does not work against MQV. 
But, for (H)MQV with explicit subgroup tests of peer's public-key and DH-component, whether still 
checking the shared DH-secret is \g is however unspecified. In particular, the basic version of HMQV 
|37j does not check whether the shared DH-secret is Iq or not, and POP/K of secret-keys is explicitly 
abandoned in HMQV. We also note the version of HMQV proposed in [38] does check and ensure the 
shared DH-secret is not Iq- But, (H)MQV does not resist the above attacks with t 7^ 0. 

Besides asymmetric computation, such drawbacks also allow more effective DoS attacks. Though an 
adversary can send arbitrary messages to an honest party (say, player B in the above attacks) to issue 
DoS attacks, which however can be easily detected by the authentication mechanism of (the 3-round 
version of) (H)MQV. But, with our above attacks, the honest player B is hard to distinguish and detect 
an attack from an honest execution of (H)MQV. 

This motivates us to introduce a new notion for DHKE, called session-key computational fairness. 
Roughly speaking, we say that a DHKE protocol enjoys session-key computational fairness., if the 
session-key computation (for any successfully finished session between a possibly malicious player and 
an honest player) involves the same number of non-malleably independent dominant- operation values 
for both the malicious player and the honest player. Here, dominant operation is specific to protocols, 
and for (s)OAKE and (H)MQV, the dominant operation is defined just to be modular exponentiation. 
Informally speaking, a set of dominant-operation values {F/,--- , V^} for m > 2 are non-malleably 
independent, if any polynomial-time malicious player / G {A, cannot make these values correlated 
under any predetermined polynomial-time computable relation (no matter how the malicious player 
does). More formally, for any complete session-tag Tag^ we say that a set of dominant-operation 
values {V^/, • • • ,V^} (w.r.t. Tag) are non-malleably independent, if they are indistinguishable from 
independent random values {f7i, • • • , Um} or {C/i, • • • , Uj-i, Vj , f/j+i, • • • , Um} for at most one j, 1 < 
j < m. We then show that (s)OAKE enjoys session-key computational fairness, while (H)MQV does 
not by the above concrete EDA attacks. We also propose some HMQV variants, just in the spirit of 
(s)OAKE and NMJPOK, to prevent our EDA attacks. The key point is to put A (resp., B) into the 
input of d (resp., e). Unfortunately, we failed in providing provable security of these fixing approaches in 
the CK-framework. In particular, we observed that it is hard to extend the security proof of HMQV [37] 
to any of the proposed fixing solutions (indeed, HMQV was very carefully designed to enjoy provable 
security in the CK-framework). Besides lacking provable security in the CK-framework, many other 
advantageous features enjoyed by (s)OAKE are also lost with these fixing solutions. To the best of our 
knowledge, we do not know how to achieve, besides the newly developed (s)OAKE family, implicitly 
authenticated DHKE protocols that enjoy all the following properties: (1) provable security in the CK- 
framework; (2) online optimal (i.e., only one exponentiation) efficiency and/or reasonable deniability; 
(3) session-key computational fairness. The surrounding issues are quite subtle and tricky, and indeed 
(s)OAKE was very carefully designed to achieve all these features (and much more as clarified above). 
Due to space limitation, the reader is referred to Appendix |F] for more details. 

On supporting the public computation model |39| . The work [39] proposed the public 



computation model for KE protocols, where an entity (performing a run of KE-protocol) is split into 
two parts: a trusted authentication device (which enforces the confidentiality of the authentication 
data), and an untrusted computing device (in which some computing operations are publicly carried 
out). This allows to use an authentication device with little computing power, and to make computing 
devices independent from users (3^. Some concrete applications suggested in [3^ are: (1) Mobile 
phones include smart cards which store the user authentication data; the handsets themselves are the 
computing devices. (2) PCs (corresponding to the computing device) equipped with a crypto token 
(corresponding to the authentication device) have a lot more computing power than the token itself, 
but may be plagued by spyware or virus. (H)MQV does not well support deployment with such public 
computation as shown in [39], while (s)OAKE well supports deployment in this model (see details 
in Appendix [H]) . Specifically, the natural split of authentication computation and public computation 
for (s)OAKE is as follows, with the computation of B as an example: (1) The authentication device 
generates {y, Y) and possibly A^^ (in case the authentication device has learnt the peer identity ^4), and 
then forwards Y and possibly A^^ to the computation device; (2) After getting X from the computation 
device, the authentication device computes s = db + ey, and then forwards s to the computation device; 
(3) After getting s from the authentication device, the computation device computes Kj^ = A'^^X'^ and 
the session-key, and then communicate with A with the session-key. Note that y,Y,c,d,A'^y,db can be 
offline pre- computed by the authentication device, and the authentication device can only online compute 
ey and X^ . 

More discussions of the security of (s)OAKE beyond CK-framework are referred to Appendix|Hj The 
security of (s)OAKE, in the CK-framework and beyond, further justifies the soundness and robustness 
of the design rational and building tools of (s)OAKE. 

5 Casting (s)OAKE in Terms of HDR Signatures 

Informally speaking, to distinguish the session-key output of the unexposed test-session from a random 
value, an efficient adversary £/ only has two strategies in the RO model: 

Key-replication attack. £/ succeeds in forcing the establishment of a session (other than the test- 
session or its matching session) that has the same session-key output as the test-session. In this 
case, £/ can learn the test-session key by simply querying the session to get the same key. 

Forging attack. At some point in its run, £/ queries the RO Hk with the value or K^. This 
implies that succeeds in outputting the value or K^. 

At high level, the possibility of key-replication attack against (s)OAKE is ruled out unconditionally 
in the RO model by the NMJPOK and TBSS properties of (s)OAKE, which actually holds also for 
the public- key free variant of (s)OAKE (as matching sessions are defined without taking public- keys 
into account in the CK-framework). Below, we focus on ruling out the possibility of forging attack. 
Intuitively, by the NMJPOK property of (s)OAKE, an attacker can compute the DH-secret Kj^ or 
Kj^ of the test-session only if it does indeed "know" both the corresponding static secret-key and the 
ephemeral DH-exponent, which then violates the discrete logarithm assumption. But, turning this 
intuition into a formal proof needs introducing some non-standard non-black-box assumptions (though 
it much simplifies the security analysis), which may not be very favorable and is left to a subsequent 
separate work (for analyzing (s)OAKE in more security models). In this work, we mainly focus on the 
black-box analysis of (s)OAKE in the CK-framework. In the rest, we show the forging attack can still 
be ruled out in a black-box manner, by casting (s)OAKE in terms of online- efficient and strongly secure 
HDR signatures. Full details (of this section) are given in Appendix iGl 

Informally speaking, a HDR signature scheme is an interactive signature scheme between two parties 
in the public-key model, with the dual roles of signer and challenger. 

Definition 5.1 ((s)OAKE-HDR signatures) Let A,B be two parties with public-keys A = g"-, B = 
g^, respectively. Let rn^, be two messages. The (s)OAKE-HDR signatures of B on messages 
{mj^,m^, A, A, B, B, X,Y) are defined as a vector of values (the signatures of A are defined similarly): 



1. Forger T is given values S, Xq, where B,Xo Gr G. 

2. 7^ is given access to a signing oracle B (of public- key B — and secret- key b). 

3. Each signature query from J- to B consists of the following interactions: 

(a) J' presents B with messages {Z , Z,m2,rnQ). Here, Z can be any (even corrupted) party 
chosen by and Z = G G \ 1g is the public-key of Z. Note that may not necessarily 
know the corresponding secret-key z of Z. 

(b) B generates y Gr Z* and Y = g^, and computes Z"^^, where c = /i(m^,Z, Z, F) for 

OAKE-HDR or c 1 for sOAKE-HDR. Then, B responds with {y,Y = g^^Z^v) to 
J- {which captures the powerful exposure capability to the forger), and stores the vector 
{Z , Z^m^^rng^y^Y, Z'^y) as an "incomplete session". Here, {y,Y,Z'^y) can be offline pre- 

computed by B, and leaked to T prior to the session involving {y,Y,Z'^y). 

(c) J-" presents B with (Z, Z,m^,mj^,Y), and a challenge X . 

(d) B checks that X G G\1g (if not, it aborts) and that (Z, Z, to^, m^, F) is in one 
of its incomplete sessions (if not, it ignores). B then computes r = HK{Z'^y X'^^'^'^^), 
where d = h{mg,B,B,X) and e = h{X,Y) for OAKE-HDR (resp., d = 1 and e = 
(m^,m^,Z, Z,B,B,X,Y) for sOAKE-HDR). B responds (Z, Z, m^,m^,X,y,r) to J", and 
marks the vector {Z , Z,m^,mg,y,Y, Z'^^) as a ^^complete session^\ and stores with it the 
signature values (Z, Z, m^, m^, X, ?/, Y, r). 

4. J-" is allowed a polynomial number of adaptive queries to B in arbitrarily interleaved order. 

5. T halts with output "fail" or with a guess in the form of a tuple {A, A,mi,mo,Xo,YoTrQ). J^'s 
guess is called a successful forgery if the following two conditions hold: 

(a) (^, j4, mi, mo, Xq, Fo, ro) is a valid HDR-signature of B on the messages 
(mi, mo, A, j4, _B, J5, Xo, lo), where ^ is an uncorrupted player of public-key A = g", 
mi corresponds to m^ (that is an arbitrary message sent by the adversary J- impersonating 
the signer B to the honest player A), and mo corresponds to m^ (that is chosen by the 
honest player A). Note that the value Xq is the one received by F as input. 

(b) (A, A, mi, mo, Xq, yb) did not appear in any one of the responses of B to J-'s queries. 
We say F wins the game, if it outputs a successful forgery (w.r.t. any A — g'^ not chosen by F). 

Figure 2: Forgery game for (strongly secure) (s)OAKE-HDR signatures (with offline pre-computation) 
OAKE-HDR. {i,^,m^,m^,X,y,if5'/Gjj/^^(m^,m^,X,y) = HKiA^'X^'^+y'')} , where X = c/^, 

Y = gy are chosen by A, B respectively as the random challenge and response, x,y Sr Z*, 
c = h{m^,A,A,Y), d = h{m^,B,B,X) and e = h{X,Y). 

sOAKE-HDR. {A, A,mj^,m^, X,Y, HSIGf^^^ {m^,m^, X,Y) = HKiA^'X^'^+y'')} , where c = d = 
1, e = h{m^,m^,A,A,B,B,X,Y). 

Definition 5.2 (Strong security of HDR signatures (with off-line pre-computation)) We say 

a HDR signature scheme (of B) is strongly secure, if no polynomial-time machine J- can win the game 
in Figure\^with non-negligible probability with respect to any uncorrupted party A of public-key A = g"" 
such that the secret-key a was not chosen by the attacker F. 

More discussions on the above strong HDR unforgeability security definition and the comparisons 
between (s)OAKE-HDR and HMQV-HDR are referred to Appendix IG.2I Due to space limitation, we 
only present the analysis sketch for OAKE-HDR here, the analysis for sOAKE-HDR is similar and 
actually much simpler. See Appendix O foi' full details. 

Theorem 5.1 Under the GDH assumption, (public-key free) OAKE-HDR signatures of B, with offline 
pre-computed and exposable {y,Y,A'^y), are strongly secure in the random oracle model, with respect to 
any uncorrupted player other than the signer B itself even if the forger is given the private keys of all 
uncorrupted players in the system other than b of B 

Proof (sketch of Theorem lS.ip . The efficient solver C (who runs a supposed forger as a subroutine) for 
the GDH problem is presented in Figure [3l (page [T2|) . It is easy to check, with overwhelming probability, 
the simulation of O is perfect in the RO model (with details referred to Appendix [G]) . 



Here, we only highlight the analysis of the probability that C aborts at step F3. In the RO 
model, except for some negligible probability, F cannot succeed with undefined co,(io)eo- Also, F 
can guess the value r with negligible probability. The only left way for C to abort at step F3 is: tq 
is the value r set by C at one of S3.1 steps, where r is supposed to be Hxicr) w.r.t. a stored vector 
{Z , Z,m^,m^, X,y,Y, Z'^y ,r). Recall that for the value r set at step S3.1, C does not know a (as it 
does not know b), and thus in this case both C and T may not make the RO-query i?x(co) = Hxicr). 
In this case, except for some negligible probability, do = cr, i.e., ^coyo^^o^'+'^oyo _ ^cy-^db+ey ^ where 
c = h{ni2, Z, Z, Y), d = h{nij^, 13, B, X), e = h{X, Y), cq = h{nii, A, A, Yq), do = h{mo, 13, B, Xq), cq = 
h{Xo,Yo), and {mo,mi,A,A,B,B,Xo,Yo) / {mj^,m^, Z , Z, B , B, X,Y). However, by the NMJPOK 
and TBSS properties of OAKE, for any value cr € G \ 1g and any {mi,mo. A, A, 13, B, Xq,Yo), the 
probability Pv[A'^'^y'^ Xq°^~^'^^'^" = cr] < giz^) where Xq is the given random element in G \ 1^, A and 

B are uncorrupted players. This is true, even if the public-key A (resp., B) is removed from cq (resp., 
do), as the public- keys A and B are generated by the uncorrupted players A and 13 independently at 
random, and Xq is the given random DH-component (not generated by the attacker). 

Finally, by applying a slightly extended version of the forking lemma in [53] , which is referred to as 
divided forking lemma and is presented in Section fG.ll we have that, provided that F succeeds with 
non- negligible probability in the first run of C, with non- negligible probability J- will also succeed in the 
repeat experiment CI or C2. In this case, the output of C is the just correct value of CDH{Xq, B). □ 

Now, we consider the case that the forger F is against the signer B itself (i.e., A = B). We further 
distinguish two cases: (1) Iq 7^ -^0 and (2) Yq = Xq. 

Corollary 5.1 Under the GDH assumption, and additionally the KEA assumption, (public-key free) 
OAKE'HDR signatures of 13, with offline pre-computed and exposable {y,Y, A^^), are strongly secure 
in the random oracle model, with respect to the signer B itself with Yq ^ Xq. 

Proof (sketch). The main difference between the proof of Corollary 15.11 and that of Theorem 15.11 
is that, here, the forger outputs with non-negligible probability a successful forgery of the form: 
(mi, mo, B, B, B, B, Xq, Yq, tq), i.e., A = B, where ro = HK{aQ), uq = B'^oyo x^'^^+^'^y" , cq = h{mi,B, B, Yq), 
do = h{mQ, 13, B, Xq), cq = /i(Xo, Iq)- The key point is that, by performing the rewinding experiments, 
we cannot directly output the CDH[B,Xq), as we do not know the private key b of B. Recall that, in 
this case, the uncorrupted player and the signer are the same. 

We modify the algorithm C depicted in Figure [3] as follows: the actions of C remain unchanged until 
the rewinding experiments; but C performs the rewinding experiments according to the order of the 
RO-queries cq, do, cq. 

do posterior to cq, eo- In this case, by rewinding F to the point of making the query do = h{mQ, B, B, Xq), 
and redefines h{mQ, B, B, Xq) to be a new independent d^, C will get g'q = B'^ovo x^'''''^^"^'' . Then, 
from cro and a'^, C gets that CDH{B,Xq) = {a/aQ)^'^o-d'o)-\ Xote that, in this case, C does not 
rely on the KEA assumption for breaking the CDH assumption (but still with the DDH-oracle). 

Co posterior to do,eo. In this case, by rewinding J-" to the point of making the query cq = h{mi,B,B,YQ), 
and redefines h{mi,I3, B, Yq) to be a new independent c'q, C will get a'^ = 5^^,3/0x^06+602/0^ ^hen, 
from CTo and cj^,, C gets CDH{B,Yq) = Byo = (ct/ct^)(^o-^o)"\ That is, given B, C can output 
(YqjB^^). By the KEA assumption, it implies that J-" knows yQ (which can be derived from the 
internal state of J-). More formally, there exists an algorithm that, given B and Xq and the ran- 
dom coins of C and F, can successfully output yo- Now, with the knowledge of yQ, CDH{B,Xq) 
can be derived from do (or (Tq). 

Co posterior to Co,do. In this case, by rewinding F to the point of making the query cq = h{XQ,YQ), 
and redefines /i(Xo,lo) to be a new independent c'q, C will get a'^ = B^^yo Xq""^" . Then, from 
(70 and (t'q, C gets CDH{Xq,Yq) = Xl° = (cj/cj^)(^0"^o)~\ Then, by the KEA assumption, the 
knowledge of yo can be derived, with which CDH{Xq, B) can then be computed □ 

Corollary 5.2 Under the computational Diffie-Hellman (CDH) assumption, (public-key free) OAKE- 
HDR signatures of B, with offline pre-computed and exposable {y,Y,A'^y), are strongly secure in the 
random oracle model, with respect to the signer B itself with Yq = Xq. 



Building the CDH solver C from the OAKE-HDR forger 7" 
Setup: The inputs to C are random elements U — ,V — in G, and its goal is to compute CDH{U, V) = g"" with 
oracle access to a DDH oracle O. To this end, C sets B = V and Xo — U, and sets the public-keys and secret-keys for 
all other uncorrupted players in the system. C runs the forger J" on input {B, Xq) against the signer B of public-key 
B. C provides T with a random tape, and provides the secret-keys of all uncorrupted players other than the signer B 
itself (the attacker T may register arbitrary public-keys for corrupted players, based on the public-keys and secret-keys 
of uncorrupted players). 

Signature query simulation: Each time T queries _B for a signature on values {Z, Z, rrig, m^), C answers the query 
for B as follows (note that C does not know 6): 

51. C generates y Gr Zg, Y = g^ and Z'^^ , where c = h{m2, Z , Z,Y) (that may be pre-defined, otherwise C defines c 

with the RO h). Actually, {y,Y,Z'^^) can be pre-computed by C and leaked to J- prior to the session. Then, C 
responds {y,Y — g^,Z'^^) to and stores the vector {Z, Z,m^,mg,y,Y,A'^^) as an "incomplete session". 

52. T presents C with {Z , Z,m2,mg,Y), and a challenge X. 

53. B checks that X £ G \ Ic (if not, it aborts) and that {Z, Z, m^, mg,Y) is in one of its incomplete sessions (if not, 

it ignores the query). Then, C checks for every value a £ G \ 1g previously used by IF as input to Hk whether 
a = X^'^'^y" , where d = h{mg,B,B,X) and e = h{X,Y) (in case d,e undefined, C defines them with h): it 
does so using the DDH-oracle O, specifically, by checking whether CDH{X, B) = {a/Z"'" X^^)"^ \ If the answer 
is positive, then C sets r to the already determined value of Hk{o-). 

S3.1. In any other cases, r is set to be a random value in {0, I}'', where k is the output length of Hk- Note that, 
in this case, C does not know a = z'^^ X'^''^"^ , as it does not know 6, which also implies that C does not 
make (actually realize) the RO-query _ff_K-(a) even if the value a has been well-defined and known to T. 

Finally, C marks the vector {Z , Z,m^,mg, X,y,Y, Z'^^) as a "complete session", stores 
{Z, Z,m^,mg,X,y,Y, Z'^^ , r) and responds {Z, Z,m^,mg,X,Y,r) to 

RO queries: C provides random answers to queries to the random oracles h and Hk (made by T), under the limitation 
that if the same RO-query is presented more than once, C answers it with the same response as in the first time. But, for 
each new query a to Hk,C checks whether a = Z^^ X'^''+'=y for any one of the stored vectors (Z, Z,m^,mg, X,y,Y, Z'^^ , r) 
(as before, this check is done using the DDH-oracle). If equality holds then the corresponding r is returned as the 
predefined Hk{o'), otherwise a random r is returned. 

Upon J^'s termination. When T halts, C checks whether the following conditions hold: 

Fl. T outputs a valid HDR-signature (A, A, 1111,1110, Xo,Yo,ro), where A 7^ B is an uncorrupted player. In particular, 
it implies that ro should be Hk{oo), where ctq = ^^'=0X0'*''+™''°, Yo = g^° (chosen by F), co = h{mi. A, A,Yo), 
do = h{mo, B, B, Xo) and eo = h{Xo, Yo). 

F2. {A, A, nil, mo, Xo, Yo) did not appear in any of the above responses of the simulated OAKE-HDR signatures. 

F3. The values co = h{mi, A, A,Yo), do = h{mQ, 13 , B , Xo) and eo = h{Xo,Yo) were queried from the RO h, and the 
value Hk{oo) was queried from Hk being posterior to the queries co,do,eo. Otherwise, C aborts. 

If these three conditions hold, C proceeds to the "repeat experiments" below, else it aborts. 

The repeat experiments. C runs F again for a second time, under the same input (_B,Xo) and using the same coins 
for F. There are two cases according to the order of the queries of h{mo, B, B, Xo) and h{Xo, Yo) 

CI. h(mo, B , B , Xo) posterior to h{Xo,Yo): C rewinds F to the point of making the RO query h{mo, B, B , Xo), 
responds back a new independent value do £r {0,1}'- AH subsequent actions of C (including random an- 
swers to subsequent RO queries) are independent of the first run. If in this repeated run F outputs a 
successful forgery {A' , A' ,mi,mo, Xo,Yo,ro) satisfying the conditions F1-F3 (otherwise, C aborts), which par- 
ticularly implies that r'o = HKicr'o), o'o = ^'fo^o jSs:^'*o+!'o'=o ^ ^ computes CDH{U,V) = CDH{Xo,B) = 

[(ao/Yo"'")/('^o/yo"'")]'""~''°'" , where a and a' are the private keys of the uncorrupted A and A' (different 
from _B, which are assumed to be known to C). Note that {A' , A' ,m'i) need not necessarily to equal [A, A, mi). 

C2. h[Xo,Yo) posterior to h(mo, B , B , Xo): C rewinds F to the point of making the RO query h{XQ,Yo), re- 
sponds back a new independent value e'o £r {0, 1}'. If in this repeated run F outputs a successful forgery 
(A' , A' ,m'i,mo, Xo,Yo,r'o) satisfying the conditions F1-F3 (otherwise, C aborts), which particularly implies that 

r'o = HK{a'o), a'o = A'™'=oXo''"+^°"« , C computes X^« = ((ao/yo"'")/('^o/i^o"'"°))*"°""°^ and then CDH{U,V) = 

CDH{Xo,B) ^ {ao/{{Xr,°)^° ■Yr°))''o'. 

Figure 3: Reduction from GDH to OAKE-HDR forgeries 



After establishing the strong unforgeabihty security of (s)OAKE-HDR, similar to the analysis of 
HMQV, the analysis of (s)OAKE within the CK- framework is quite straightforward and less interesting. 
In particular, the special structure of sOAKE-HDR also much simplifies the security analysis of sOAKE 
by only using the standard forking lemma [53], and tightens the security reductions. Full details are 
referred to Appendix IG.3i 
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A Variants of (H)MQV 

Three-round HMQV (resp., MQV) adds key confirmation as follows: let Km = Hk{I^^,0) = Hk{I'^q-, 0), 
B uses Km as the MAC key to authenticate (resp., {2,B,A,Y,X)) in the second-round of HMQV 
(resp., MQV); and A uses Km to authenticate 1 (resp., {2>,A,B,X,Y)) in an additional third-round of 
HMQV (resp., MQV). The session-key is set ioheK = Hk{K^, 1) = Hk{K^, 1). 

In one-round HMQV, only A sends X, and the session-key is derived as follows: K^ = B^'^'^"', 
K^ = {XA'^f, d = h{X,A,B), K = Hk{K^) = Hk{K^). 

B NMJPOK: Motivation, Formulation, and Implementations 

We consider an adversarial setting, where polynomially many instances (i.e., sessions) of a Difhe-Hellman 
protocol {A,B) are run concurrently over an asynchronous network like the Internet. To distinguish 
concurrent sessions, each session run at the side of an uncorrupted player is labeled by a tag, which is the 
concatenation, in the order of session initiator and then session responder, of players' identities/public- 
keys and DH-components available from the session transcript. A session-tag is complete if it consists 
of a complete set of all these components. 

In this work, we study the mechanisms for non-malleably and jointly proving the knowledge of 
both b and y w.r.t. a challenge DH-component X between the prover B (of public-key B = and 
DH-component Y = g^) and the verifier A (who presents the challenge DH-component X = g^), where 
b,y,x E Z*. In particular, we investigate joint proof-of-knowledge (JPOK) of the type JPOK(py-^ = 
fQ{X^,auxQ) ■ fi{Xy,auxi) in the random oracle model, where /q and f^ are some functions from 
{0, 1}* to G \ 1(5 with oracle access to an RO h : {0, 1}* — >■ {0, 1}', auxQ and auxi are some public 
values. Moreover, we look for solutions of JPOK^^ y^^ such that JPOK^f, y-^ can be efficiently computed 
with one single exponentiation by the knowledge prover. Note that the tag for a complete session of 
JPOKi^y^ is {A,B,B,X,Y). The possibility of NMJPOK without ROs (based upon pairings) is left 
to be studied in a subsequent separate paper. In the rest of this paper, we denote by the output length, 
i.e., I, of h as the security parameter. 



One naive solution of JPOK^b,y) is just to set JPOK(^h,v) = ■ Xy = X^+y . But, such a naive 
solution is totally insecure, for example, an adversary A can easily impersonate the prover B and 
pre-determine the value of JPOK(iy y^ to be Ig, by simply setting Y = B~^. The underlying reason 
is: A can malleate B and Y into xy^^ by maliciously correlating the values of y and b, but actually 
without knowing either of them. A further remedy of this situation is to mask the exponents b and 
y by some random values. In this case, the proof is denoted as JPOK^^ y^ = X'^^^'^y , where d and e 
are random values (e.g., d = h{X,B) and e = h(Y,A) as in HMQV in the RO model). The intuition 
with this remedy solution is: since d and e are random values, the values of db and ey are also random 
(even if the values Y and B, and thus the values of y and b, may be maliciously correlated). This 
intuition however turns out also to be wrong. With the values d = h{B,A) and e = h{X,B) as an 
illustrative example, after receiving X an adversary A can generate and send Y = B~'^/^, and in this 
case JPOK(p y^ = X'^^^'^y = Iq- This shows that masking b and y by random values is also not sufficient 
for ensuring the non-malleability of JPOK(ij yy The key point here is that the values db and ey are 
not necessarily independent. A series of careful investigations bring us to the following principles for 
proving DH knowledges non-malleably and jointly: 

Inside Computational Independence. Denote Sq = {X,B}, Zq = CDH{X,B) = g^'^, Fq = 
/o (Zq, aiiXo), 5*1 = {X,Y}, Z\ = CDH{X,Y) and Fi = fi{Zi,auxi). The key principle is: the inside 
multiplied components Fq and Fi of JPOK^p y^ should be computationally independent, no matter 

how a malicious knowledge prover B (of public-key B = g^ ^ G) does. That is, the adversarial 
attempts at Zs for any 6 G {0,1} should be essentially sealed (i.e., localized) to Fs, and are isolated 
(i.e., "independent") from the adversarial attempts at Zi^s- This essentially ensures that no matter 
how the possibly malicious knowledge-prover B does, to compute JPOK(^ y^ B has to compute two 

^independent" DH-secrets Fq and Fi w.r.t. the fresh challenge X, which implies that B does indeed 
"know" both b and y. 

Definition B.l (computational independence) We formulate two types of "computational inde- 
pendence" w.r.t. JPOK^py^ 

(1) Self-sealed computational independence. Given arbitrary values (a, /3) € (G\1g')^, no matter how 
a malicious B does, both Pr[Fo = a] and Pr[i<'i = f3] are negligible. 

(2) Committed computational independence. There exists 6 € {0, 1} such that for any a € G \ 1g 
Pr[F5 = a] is negligible, no matter how a malicious B does. This captures the independence of Fs on 
Fis, i.e., the infeasibility of adversarial attempts by a malicious prover on setting Fg to be correlated 
to Fi^sj On the other hand, the value Fi^g is committed to Fg, in the sense that 

• Si-sljauxi^s ^ auxs- 

• Given {Zs,auxs) that determines Fs = f^{Zs,auxs), no efficient algorithm can provide, with 
non-negligible probability, {S[_g, aux'^_g) C aux'g (w.r.t. the same challenge X = Sis Pi S[_^ 
from A and auxs — auxis = aux'^ — aux[_^) such that S[_^\Jaux'^_g 5i_5 (J atta;i_5 but 
f^{Zs,auxs) = fs{Zs,aux'g).That is, any adversarial attempt by a malicious prover on setting 

to be correlated to a given value Fs, by changing {Si-s,auxis} into {S[_g,aux'^_g} w.r.t. 
the same random challenge X = Si^sf^S[_g and auxg — auxi^s = aux'^ — aux'^_g (for example, by 
simply changing B for the case of 5 = 1 orY for the case of 6 = 0), will cause the value Fs itself 
changed that in turn determines and commits to the value Fi_s (while Pr[Fs = a] is negligible 
for any a G G \ Ic)- This implies the infeasibility of adversarial attempt on setting Fis to be 
correlated to Fs, i.e., the "computational independence" of Fi^s on Fs. 

The probabilities are taken over the random coins used by the malicious B and the honest A, and 
the choice of the random function h in the RO model. 

Informally speaking, the underlying rationale of NMJPOK(ii y-^ is: given a random challenge X, no 
matter how a malicious B chooses the values Y = gy and B = g^ (where the values y and b can be 
arbitrarily correlated), it actually has no control over the values db and ey in the RO model. That is, by 
the birthday paradox it is infeasible for a malicious B to set db (resp., ey) to some predetermined value 



with non-negligible probability in the RO model (in order to make the values db and ey correlated). 
Alternatively speaking, given a random challenge X, (by the birthday paradox) it is infeasible for a 
malicious B to output B = and Y = such that the values db and ey satisfy some predetermined 
(polynomial-time computable) relation with non-negligible probability in the RO model. 

The situation with sNMJPOK^f^y^ is a bit different. Though as in NMJPOK^i,^y^, the malicious 

prover B is infeasible to set ey to a predetermined value, B can always set the value db = b at its wish 
as d = 1 for sNMJPOK^j^ yy But, B is still infeasible to set the value b correlated to ey = h{B, X, Y)y, 
particularly because the value B is put into the input of e. Specifically, for any value B (that determines 
the value b) set by B, with the goal of making b and ey correlated, the probability that the values 
ey = h{B,X,Y)y and b satisfy some predetermined (polynomial-time computable) relation is negligible 
in the RO model (again by the birthday paradox). In particular, the probability that Pi[b = /(ey)] 
or Pr[/(6) = ey], where / is some predetermined polynomial-time computable function (that is in turn 
determined by some predetermined polynomial-time computable relation) , is negligible in the RO model, 
no matter how the malicious B does. 

Outside Non-Malleability. As JPOK may be composed with other protocols in practice, another 
principle is that the JPOK provided by one party in a session should be bounded to that session, in 
the sense that the JPOK should not be malleated into or from other sessions. This is captured by the 
following definition, which particularly implies the property of "key control" [30] for DHKE. 

Definition B.2 (tag-binding self-seal (TBSS)) For a DH protocol in the RO model, denote by Zxag 
the random variable of the shared DH-secret in G (say, JPOK or session-key) determined by a complete 
session-tag Tag (taken over the choice of the random function h in the RO model). We say it is tag- 
binding self-sealed, if for any a S G \ 1g o.iT'd any complete Tag, Vi[ZTag = o] < ^(2'') ^^^^e I is the 
security parameter. The probability is taken over the choice of the random function h in the RO model. 

The definition of TBSS particularly implies that: given an arbitrary yet complete session-tag Tag, 
by the birthday paradox no efficient (polynomial-time) algorithm can, with non- negligible probability, 
output a different Tag' 7^ Tag such that Zj^ag' and Z^ag collide in the sense Z^ag' = Zxag in the RO 
model assuming /i is a random function. In more detail, by the birthday paradox, the probability that 
an efficient algorithm finds two colliding tags {Tag, Tag') such that Z^ag = Z^ag' is bounded by O(^), 
where T = poly(l) is the running time of the algorithm. In a sense, the DH-secret determined by a 
complete session-tag is "bounded" to this specific session, and is essentially "independent" of the outside 
world composed concurrently with the current session. In particular, the shared DH-secret is random 
and unpredictable. 

TBSS vs. contributiveness. The work [5] introduced the notion of "contributiveness" property for 
password-authenticated group key exchange protocols, which roughly says that the distributions of 
session-keys are guaranteed to be random, as long as there are enough honest players in a session. We 
noted that our TBSS definition, originally presented in [H [2] independently of [3], has similar security 
guarantee. As we shall see, (H)MQV lacks the TBSS property by the EDA attacks presented in Section 
14.21 which implies also that the TBSS property is not captured by the CK-framework. 

We say that JPOKf^^ y-^ is a non-malleable joint proof-of- knowledge (NMJPOK), of the knowledges 
(6, y) w.r.t. the random DH-component challenge X, if JPOK(p y-^ satisfies both the above two principles. 

Preferable candidates for NMJPOK. Guided by the above principles, we propose two preferable 
solutions for NMJPOK in the RO model: 

• Self-sealed JPOK (SSJPOK): SSJPOK^k^y) = X'^^+^y , where d = h{A, B, B, X) and e = h{X, Y); 
Specifically, ouxq = {A,B,B,X] and auxi = {X,Y], Fq = fl}{X\auxo) = X^'^C^^^o) and 
Fi = f^{Xy,auxi) = Xf'^^""^!). Here, h : {0, 1}* {0, 1}70 C Z* is a hash function and / w \q\ 
(in the unlikely case that h{x) = for some x, the output of h{x) can be defined by default to be 
a value in Z* - {0,1}'). 

• Single-hash SSJPOK (sSSJPOK): sSSJPOK(^h,y) = X'^^+^y, where (i = 1 and e = h{A, B, B, X, Y); 
Specifically, ouxq is empty and auxi = {A, B, B, X,Y}, Fq = /q (X'', auxo) = X'^ and Fi = 
f^{Xy,auxi) = Xf'^C""^!). 



Needless to say, there are other NMJPOK candidates (e.g., d = h{B,X) and e = h{A,B,X,Y), or 
d = h{A, 13, B, X, Y) and e = h{Y, X, 13, A), etc). But the above explicitly proposed solutions enjoy the 
following advantageous properties, which make them more desirable: 

• Post-ID, modular and offline computability of SSJPOK. Specifically, as the input of e does not 
include A's identity and public-key, A can first send X without revealing its identity information. 
In this case, B can first compute X^^, and then X"^^ only after learning A's identity and public-key. 
Also, without inputting Y into d allows A to pre-compute B'^^{= X'^^) prior to the protocol run. 

• sSSJPOK is preferable because of its offline computability, more efflcient computational complexity 
and the less use of hash function h. 

It is quite straightforward to check that, in the RO model, SSJPOK (resp., sSSJPOK) satisfies 
self-sealed (resp., committed) computational independence, and both of them are tag-binding self- 
sealed. In more details, for SSJPOK, for any given values {B,Y) (which determine {h,y)) output by 
a malicious prover B and any value /3 G Z* Vi[db = /3] (resp., Pr[ey = /3]) is constant: either or 

273j- in the RO model (no matter how a malicious prover B does). The committed computational 
independence of sSSJPOK is from the observation: {X, B} (that determines Fq = X^) are committed 
to Fi = in the RO model as {X,B} C auxi. The TBSS property of (s)SSJPOK can be 

derived by a straightforward calculation. Proof details that (s) SSJPOK are NMJPOK in the RO model 
are given below. 

Proposition B.l SSJPOK is NMJPOK in the RO Model. 

Proof. We first prove the self-sealed computational independence of SSJPOK in the RO model. Note 
that for SSJPOK, Fq = X'^^ = x''^^'^'^'^^^ and Fi = X'^y = X^^^'^^y, where 6, y, x € Z*. For any given 
challenge X £ G \1g, each pair of values {B = g\Y = gV) G (G \ Icf (that determine (6, y) G {Z*f) 
and any pair of given values a = g°', f5 = G {G\ Ig)"^, where a, /3 G Z*, we consider the set of values 
that Fq can be assig ned in the RO model Spo = {X'^''\0 <d = h{A, B, B, Y) <2^ - 1} and also the set 
of values that Fi can be assigned in the RO model = {X'^^^jO < e = h{X,Y) < 2^ - 1}. If a ^ % 
or d = (resp., /3 ^ Spi or e = 0), then we have Pr[Fo = a] = (resp., Pr[Fi = /3] = 0). If a G Spo 
(resp., /3 G Spi), then we have Pr[Fo = a] = (resp., Pr[Fi = /3] = 2131) the RO model. As 
the malicious prover 13 is polynomial-time, we have that, no matter the polynomial-time malicious 13 
does on a challenge X, the probability that it outputs B,Y such that Fq = a and Fi = /? is negligible. 
Specifically, suppose = 2' - 1 and T = poly{l) is the running time of by the birthday paradox the 
probability that on input {X, a, (5) the malicious B outputs {B, Y) such that Fq = a or Fi = /3 is at 
most '^^^^^ that is negligible (in /). 

Next we prove the TBSS property of SSJPOK in the RO model, which is based on and can be 
easily derived from the NMJPOK property of OAKE. For a complete session of SSJPOK, its tag is: 
Tag = {A,B,B = g\X = g'',Y = gy), where h,x,y £ Z*, we consider the value Zpag = X'^^+'^y = 
j^h{A,B,B,Y)b . j^h{x,Y)y [^1 the RO model where h is assumed to be a random oracle. As for each value 
a e G\1g, Pr[X'^(^'-^'-^''*')* = a] < and PvlX'^^^'^^y = a] < ^ in the RO model, we get (by 
straightforward calculation) that PrlZxag = < 0{-^). □ 

Proposition B.2 sSSJPOK is NMJPOK in the RO model. 

Proof. We first show the committed computational independence property of sSSJPOK. Similar to 
the analysis of Proposition IB. 11 for the case 5 = 1 we have that for any given a G G \ Ic and any DH- 
component challenge X, and any {B,Y) G (G \ Ig^, Fv[Fs = = xy^^^'^'^'^'^'^ = < 

in the RO model, where 6 = 1. As the malicious B is polynomial-time, we have the probability that 
the malicious B outputs {B,Y), given a random challenge X and a given value a G G \ 1g, such that 
Fi = a is negligible in the RO modelH Then, the committed computational independence of sSSJPOK 
is from the following observation that X^ is committed to xy^^'^'^'^'"'^''^\ Specifically, 

■^Specifically, by the birthday paradox, the probability is at most 0(-|r), where T = poly{l) is the running time of B. 



• Si-s = So = {X, B} C auxs = auxi = {A, B, B, X, Y}. Note that the value Fq = Zq = X^ (resp., 
Fi = f^{Zi,auxi) = f^{Xy,auxi) = = is determined by Sq = {X,B} 
(resp., auxi = {A, B, B, X,Y}), and auxo is empty for sSSJPOK. 

• Given = Zi = X'^ and auxg = auxi = {A,B,B,X,Y}, for any B' ^ B such that Sq = 
{X,B'} C aux[ = {A,B,B',X,Y}, we get Pr[/{^(Zi, auxi) = f^{Zi,aux[)] = PrfX^^'^CAS.s.x.Y) ^ 
j^yh{A,B,B' ,x,Y)] < ^rr]". Thus for any polynomial-time algorithm, the probability that it, on in- 
put Zi,auxi, outputs S'q = {X,B'} for B' ^ B such that XJ^'^l^.s.s.x.y) ^ j^j/h(i,B,i?',x,y) 
negligible (again by the birthday paradox). 

Next, we show the TBSS property of sSSJPOK in the RO model, which is based on and can be 
easily derived from the NMJPOK property of OAKE. For the tag Tag = {A, B, B, X, Y) of a complete 
session of sSSJPOK, we consider the value Zxag = X^+v'^'^^'^'^'^'^'^ = X^ ■ xy'^'^^'^'^'^'^l No matter 
what value X'' is, for any value a e G \ 1g we have Y'liXy''^^'^'^'^'^^ = a] < in the RO model. 
Thus, for any value a € G \ 1g we have also that FT:[ZTag = a] < ^tty = O(^). □ 

C Some Variants of (s)OAKE 

One-round OAKE (oOAKE): The player A sends X = 17^ to B. Normally, A is a client machine 
and S is a server machine. Let Kj^ = and = where e = h{A,A,B,B,X) and the 

session-key is K = Hk{K^) = Hk{K^). For oOAKE, it is also recommend to set the output length 
of h to be shorter, e.g., |g|/2, to ease the computation of = A^X'^^ = {AX'^)^ in some application 
scenarios (e.g., when the pre-computation of A'^ is inconvenient). 

Note that the computational complexity of ^ is 2 exponentiations in total and all the computation 
of A can be offline. To improve the on-line efficiency of B, the player B can pre-compute A'' in an 
off-line way (and store it in a database entry corresponding to the client A), and only on-line computes 
X'^'^ and X"^ which amounts to about 1.2 exponentiations (it is recommended for B to explicitly check 
the subgroup membership of X). In case of embedded subgroup test, B should explicitly check X ^ G' 
and X'^^^ 7^ Iq (only checking Kj^ 7^ Iq is not sufficient to prevent the small subgroup attack). We 
remind that oOAKE intrinsically suffers from the key compromise impersonation (KCI) vulnerability in 
case S's static secret-key h is compromised, and lacks perfect forward secrecy (the same vulnerabilities 
hold also for one-round variant of HMQV). 

Robust (s)OAKE: The only difference between robust (s)OAKE and (s)OAKE is that, the values 
and in robust (s)OAKE are set to be: = 5«+^<^y'^c+xe ^ j^b+y^^M+ye_ Specifically, 

the values and Kj^ in OAKE and sOAKE are now multiplied with the value g""^ in robust OAKE 
and robust sOAKE. 

We show in Appendix IG.2.11 that the provable security of (s)OAKE in the CK-framework can be 
easily extended to robust (s)OAKE under the same complexity assumptions. 

Adding (explicit) mutual authentication. For adding mutual authentication to (s)OAKE, 
besides the session-key K we also need a MAC-key Km to be used within the protocol run (but erased 
after the protocol run). Both the session- key and MAC-key are derived from the shared DH-secret 
Kj^ = K^, and are independent in the random oracle model. For (s)OAKE with mutual authentication, 
B sends an additional value ts = MACxmi^) the second-round, and A sends tA = MACxj^iO) in 
an additional third-round. For oOAKE with mutual authentication, the player A can additionally send 
tA = MACk^{0) in the first-round, and the player B responds back MACk^{1) in the subsequent 
round. In practice, the message authentication code MAC can be instantiated with HMAC |6]. 

D More Discussions on the Specification of (s)OAKE 

Subgroup test vs. ephemeral DH-exponent leakage. We note that the damage caused by ignoring 
the subgroup test of peer's DH-component (but still with the supergroup G' membership check) can 



be much relieved (and even waived), if the ephemeral private values generated within the protocol run 
are well-protected. For example, even if an adversary learns some partial information about db + ey by 
issuing a small subgroup attack against the honest B (by setting X to be in a small subgroup), it still 
cannot derive the value b without compromising the ephemeral value y. Also note that the adversary 
actually cannot derive the full value of db + ey by small subgroup attacks, as the DH-exponent y 
is independent at random in each session. In this case, we suggest that embedded subgroup test is 
sufficient. For presentation simplicity and unity, in the rest of this paper, it is assumed that t = ^ for 
implementations with embedded subgroup test, and t = 1 with explicit subgroup test. 

Ephemeral private values exposable to adversary. The ephemeral private values exposable 
to adversary, generated by the honest 13 (resp.. A) during the protocol run, are specified to be: y 
(resp., x) if B (resp.. A) does not pre-compute A'^^ (resp., B"^^), or {y,A'^y) (resp., {x,B'^^)) if B (resp., 
A) pre-computes A'^^ (resp., B'^^). Other ephemeral private values are erased promptly after use. We 
remark all ephemeral private values, except for the session-key in case the session is successfully finished, 
generated by an honest party within the protocol run are erased after the session is completed (whether 
finished or aborted). For expired sessions, the session-keys are also erased. 

E More Discussions on the Security of (s)OAKE vs. HMQV 

Assuming all the DH-components generated by all uncorrupted players are not exposed to the at- 
tacker prior to the sessions involving them (e.g., all honest players only generate fresh ephemeral DH- 
components on the fly, i.e., without pre-computation, in each session), and assuming all the ephemeral 
DH-exponents generated during session runs are unexposed to the attacker, the SK-security of HMQV 
can be based on the CDH assumption, while we do not know how to prove this property with (s)OAKE. 
This is the only advantage of HMQV over (s)OAKE that we can see. 

However, as already stressed in [37], security against exposed DH-exponents is deemed to be the 
main and prime concern for any robust DHKE, and security against exposed offline pre-computed values 
(particularly, the DH-components) is important to both lower-power devices and to high volume servers 
[37] . The reason is, as pointed out in [37], many applications in practice will boost protocol performance 
by pre-computing and storing values for later use in the protocol. In this case, however, these stored 
values are more vulnerable to leakage, particularly when DHKE is deployed in hostile environments 
with plagued spyware or virus and in view of that the offline pre-computed DH-components are much 
less protected in practice as they are actually public values to be exchanged in plain. 

Also, for DHKE protocols running concurrently in settings like the Internet, we suggest it is unrea- 
sonable or unrealistic to assume non-precomputation and non-exposure of the public DH-components 
for all uncorrupted parties in the system. Note that, whenever there is an uncorrupted player whose 
DH-component is exposed prior to the session in which the DH-component is to be used (the attacker 
can just set this session as the test-session), the security of HMQV relies on both the GDH assumption 
and the KEA assumption in most cases as clarified in Section [4. 1[ 

For the above reasons, we suggest that the security advantage of HMQV over (s)OAKE in this 
special case is insignificant in reality. Note that, even in this special case, (s)OAKE enjoys other 
security advantages: (1) stronger embedded subgroup test supported by offline pre-computability of 
A"^^ and B'^^; (2) resistance to more powerful secrecy exposure of the additional pre-computed private 
values A'^y and B'^^; (3) stronger resistance against collision attacks on the underlying hash function h; 
(4) tighter security reduction of sOAKE. Further note that, in the case of pre-computed and exposed 
DH-components, (s)OAKE is based upon weaker assumptions (i.e., only the GDH assumption) than 
(H)MQV (that is based on both the GDH assumption and the KEA assumption) for the most often 
case oi A ^ B. 

(s)OAKE vs. robust (s)OAKE. Note that, in comparison with (s)OAKE that enjoys reasonable 
deniability, the variant of robust (s)OAKE proposed in Appendix [C] loses the reasonable deniability 
property. But, it seems that robust (s)OAKE may render seemingly stronger security, in the sense that 
even both the ephemeral DH-exponents x and y are exposed by an adversary the adversary still cannot 



compute the DH-secret or K^. We suggest that such a security advantage of robust (s)OAKE over 
the plain (s)OAKE is not significant, based on the foUowing observation: 

• If we assume a powerful adversary that can expose both ephemeral DH-exponents x and y for the 
test session, then it may also be reasonable to assume that the adversary can expose one of the 
values {K^,Kj^) for that exposed session. Note that, from {x,y) and one of the values {Kj^,K^), 
the adversary can compute the value g"'^. As the value 

gab 

fixed and used in all sessions, once the 
value g"'^ is gotten the adversary can compute the session-key for all other sessions with exposed 
both ephemeral DH-exponents. 

In the CK-framework, the test-session and its matching session (in case the matching session exists) 
are assumed to be unexposed. That is, in the CK-framework, the adversary is only allowed to exposed 
ephemeral DH-exponents (and maybe other private values) for sessions other than the test-session and 
its matching session. Actually, as we show in Appendix [Gl (s)OAKE is secure in the CK-framework 
assuming exposed DH-exponents {x,y) and off-line computed values (A'^^ , B'^^). 

Based on the above observations, we suggest (s)OAKE achieves much better balance between security 
and privacy than robust (s)OAKE. 

F Formulation and Analysis of (Session-Key) Computational 
Fairness 

In Section 14.21 we introduced the new perspective of "computational fairness" for DHKE by concrete 
EDA attacks against (H)MQV, and showed that computational unfairness can cause some essential 
security damages to DHKE protocols. We now consider how to formulate "computational fairness" for 
DHKE protocols. 

A first thought is to require that, to successfully finish a session (with session-key output) with 
an honest player (e.g., player B), the computation of the malicious player (e.g.. A) and that of its 
honest peer should have the same computational complexity. But, such a formulation is imprecise 
and does not work. With (s)OAKE as an example, the honest player B has two ways to compute 
= A'^y X'^^'^^'^ : one way is to use the simultaneous exponentiation techniques, which amounts to 
about 1.3 exponentiations; and another way is to compute two separate exponentiations A^^ (that can 
be offline computed) and X'^^'^^^ and then multiply them to get Kj^. Moreover, there exist a number 
of different methods for simultaneous exponentiations with (slightly) varying computational complexity 
[431 130^ [22]. Thus, simply requiring the computational complexity of a malicious player and that of its 
honest peer to be the same is meaningless in general. 

In this work, we focus on session-key computational fairness, i.e., the computational fairness in 
computing the session- key, for implicitly authenticated DHKE protocols like (H)MQV and (s)OAKE 
as are the focus of this work (extension to general interactive protocols is discussed later). For any 
complete session-tag (e.g.. Tag = {A,A,B,B,X,Y) here for (H)MQV and (s)OAKE)) and / e {A,B}, 
we first identify dominant- operation values w.r.t. Tag and I, {V( , • • • , V^^) G Gi x • • • x Gmj,mi > 2, 
which are specified to compute the session-key K by honest player / G {A, B} for a complete session of 
DHKE specified by the complete session-tag Tag, where Gi, I < i < mj is the range of V/ . Specifically, 
K = Fk{VI , • • • , Vj^j,Tag), where K is the session-key output, Fk is some polynomial-time computable 
function (that is defined by the session- key computation specified for honest players). The dominant- 
operation values of a complete session are random variables defined over the complete session-tag (as well 
as the choice of the random function in the RO model) . We remark that dominant operations are specific 
to protocols, where for different key-exchange protocols the dominant operations can also be different. 
For (s)OAKE and (H)MQV, the dominant operation is defined just to be modular exponentiation. 
Then, roughly speaking, we say that a DHKE protocol enjoys session-key computational fairness, if for 
any complete session-tag Tag, the session-key computation involves the same number of non-malleahly 
independent dominant-operation values for both / € {A,B}. Here, "non-malleable independence" 



is defined in reminiscent of Definition IB.ll Specifically, we consider two notions of "non-malleably 
independence" . 

Definition F.l (strong non-malleable independence) For the dominant- operation values, 
(y/, • • • ,V^m^) € Gi X • • • X Grn, m > 2 and I € {A,B}, w.r.t. a complete session-tag Tag on any 
sufficiently large security parameter n, we say V^,--- , are strongly computationally (resp., per- 
fectly) non-malleably independent, if for any polynomial-time computable (resp., any power unlimited) 
relation/ algorithm R (with components drawn from Gi x ■ ■ ■ x G„ij x {0, 1}* j it holds that the following 
quantity is negligible in n (resp., just Q): 

I Vt[R{vI, • • • , f4 , Tag) = 1] - Pr[fl(C/i, • • • , Um,,Tag) = 1], 

where Ui,l < i < nij is taken uniformly at random from Gi, and the probability is taken over the 
random coins of R (as well as the choice of the random function in the random oracle model). 

Remark: Note that the above Definition IF. II is defined w.r.t. any complete session-tag, which does 
not explicitly take the malicious player's ability into account. But, this definition ensures that, by the 
birthday paradox, for any successfully finished session between a malicious player (e.g., player I = B) 
and an honest player (e.g., player A), no matter how the malicious player does (on the identity and 
DH-challenge of the honest player, i.e., (A, X)), it holds that: for any («!,••• ,0™/) G (G \ Iq)^' , 
the probability that Pr[VJ^ = Oj] is negligible for any i, \ < i < mj. The reason is: for each concrete 
choice of {B,Y) by B (which then determines a complete session-tag), the distribution of the values 
(Yi , ■ ■ ■ , V^^) is indistinguishable from the uniform distribution. As the malicious player is polynomial- 
time (i.e., can make at most polynomial number of choices), by the birthday paradox it holds that the 
malicious player can set to be a predetermined value only with negligible probability. This means 
that the malicious player cannot make the values (F/, • • • , V^^) maliciously correlated (under any pre- 
determined polynomial-time computable relation) with non-negligible probability. In this sense, the 
notion of "self-sealed computational independence" in accordance with Definition lB.il (which is defined 
specific to NMJPOK for proving the joint knowledge of b and y w.r.t. a single DH-challenge X) can be 
viewed as a special and weaker case of strong non-malleable independence defined here. 

Definition F.2 (general non-malleable independence) For the dominant- operation values, 
{Vi,--- ,V^j.) G Gi X • • • X Gmi, mi > 2 and I G {A,B}, w.r.t. a complete session-tag Tag on 
any sufficiently large security parameter n, we say F/, • • • ,1^^ are generally computationally (resp., 
perfectly) non-malleably independent, if there exists at most one j, 1 < j < mj such that for any 
polynomial-time computable (resp., any power unlimited) relation/algorithm R (with components drawn 
from Gi X ■ ■ ■ X Gmj x {0, it holds that the following quantity is negligible in n (resp., just Q): 

I Pr[i?(y/, • • • , F/, • • • , V4, Tag) = 1] - Pr[i?([/i, • • • , F/, C/,+i, • • • , U^,,Tag) = 1], 

where Ui,l < i ^ j < mj is taken uniformly at random from Gi, and the probability is taken over the 
random coins of R (as well as the choice of the random function in the random oracle model). 

Remark: The definition of general non-malleable independence says that the distribution of {V-^ , • • • , 
Vj_i, Vj , Vj_^_i, ■ ■ ■ , Vj^^) is computationally indistinguishable from {Ui, • • • , Uj-i, Vj , ?7j+i, • • • , Umj)- 
As the values (C/i,-- - ,Uj-i,Vj ,Uj^i, ■ ■ ■ ,Umj) are mutually independent, it then implies that the 
values of (F/, • • • , Vj_i, Vj , V^+i, • • • , Vmj) ^'^s also computationally independent. This definition also 
ensures that, no matter how a malicious polynomial-time player / € {A, B} does, (by the birthday 
paradox) it holds that: (1) The malicious player cannot make the values (F/, • • • , Vj_i, Vj_^_i, ■ ■ ■ , Vj^^) 
correlated to Vj under any predetermined polynomial-time computable relation. In particular, for any 
(ai, • • • ,aj-i,aj+i, ■ ■ ■ ,ami) G (G \ 1g)"'^"\ Pr[F/ = a,] is negligible for any i,l < i ^ j < mi. (2) 
Any efforts of the malicious player in order to change the value (which then changes the session-tag) 



will cause all other values {V^ , ■ ■ ■ , Vj_i, l^+i, ■ ■ ■ , V^^) changed (to some values indistinguishable from 
random ones). Thus, the malicious player is also infeasible to set the value Vj correlated to any of the 
values (y/, • • • , Vj_i, Vj_^_i, • • ■ , Vj^^). This also further implies that the value Vj is committed to V/ for 
any i,l < i ^ j < mj, in the sense that: the malicious player cannot (with non- negligible probability 
by the birthday paradox) output two different session tags on which the values Vj are different but 
the value V/ remains the same. In this sense, the notion of "committed computational independence" 
in accordance with Definition IB. II (which is defined specific to sNMJPOK) can be viewed as a special 
and weaker case of general non-malleable independence defined here. Finally, it is direct that strong 
non-malleable independence is stronger than general non-malleable independence. 

Definition F.3 ((session- key) computational fairness) We say a DHKE protocol has session-key 
computational fairness, if for any complete session-tag Tag on any sufficiently large security parameter 
n, the session-key computation involves the same number of non-malleably independent dominant- 
operation values for any I € {A, 13}. That is, for any complete session-tag Tag on sufficiently large 
security parameter and for each player I € {A,B}, it holds that: (1) the dominant- operation values 
y/,--- , w.r.t. Tag, involved in computing the session-key via Fxiyl • • ,V^^,Tag), are (strong 
or general) non-malleably independent, and (2) = m^, where Fx is some predetermined polynomial- 
time computable function specified to compute session-key (according to protocol specification). 

Remark: Though session-key computational fairness is defined w.r.t. any complete session tag, 
according to the discussions following Definition IF. II and Definition IF. 31 it particularly ensures that: 
for any polynomial-time malicious player I, no matter how it does, (by the birthday paradox) it is 
infeasible to make the values V-[ ■ ■ , (involved in session- key computation) correlated under any 
predetermined polynomial-time computable relation. Note that we used the number of non-malleably 
independent dominant-operation values involved in session-key computation as the measurement for 
session-key computational fairness. The reason we require the dominant-operation values to be non- 
malleably independent is that, without such a requirement, as shown by our EDA attacks on (H)MQV, 
an adversary can potentially set these values maliciously correlated such that the session-key can be 
computed much more easily (than the ways specified for honest players) even without knowing any of the 
dominant- operation values. The reason we only require the dominant-operation values involved (rather 
than computed) in session-key computation is that, there can be multiple different ways to compute the 
session-key from dominant-operation values. With the function Fpciyi, V2) = Hk{Vi-V2) as an example, 
where Vi and V2 are non-malleably independent, one can compute two separate exponentiations Vi and 
V2 and then compute the session-key, but one can also use the simultaneous exponentiations technique 
to compute Vi ■ V2 with only about 1.3 exponentiations. Furthermore, there are a number of different 
methods for simultaneous exponentiations with (slightly) varying computational complexities. But, 
with any computation way, the value of Fk{Vi, V2) = HxiVi ■ V2) has to be computed, with which two 
non-malleably independent exponentiations are involved. 

Remark: We note that the issue of computational fairness can apply to interactive protocols in 
general, as long as the honest players have the same computational operations under protocol specifica- 
tionsH For implicitly authenticated DHKE protocols like (H)MQV and (s)OAKE, we only considered 
here the session-key computational fairness. In general, for key-exchange protocols with explicit authen- 
tication (e.g., via signatures and/or MACs), besides session-key computational fairness, we need also 
consider authentication computational fairness. The formulation of session- key computational fairness 
is also instrumental in formulating authentication computational fairness, which is beyond the scope of 
this work. 

Proposition F.l (s)OAKE is session-key computationally fair assuming h : {0,1}* G\1g is a 
random oracle, while (H)MQV is not session-key computationally fair. 

^In particular, most key-exchange protocols are protocols of such type, while key distribution protocols (e.g., via public- 
key encryption) are not. 



Proof. For both (s)OAKE and (H)MQV, the dominant operation (involved in session-key computation) 
is defined to be modular exponentiation. A complete session-tag consists of {A, A = g"", B,B = g^,X = 
g^,Y = gy). 

For (s)OAKE and any complete session-tag Tag, the dominant operation values specified for the 
player A (resp., B) are = B'^'' e G \ Iq and = y^^+e^ e G \ Iq (resp., Vf = A'^y and 
= X'^''+''y), where c = h{A,A,Y),d = h{I3,B,X),e = h{X,Y) (resp., c = d = 1 and e = 
h{A,A,B,B,X,Y)) for OAKE (resp., sOAKE). The function Fk is specified to be Fk{Vi,V2, str) = 
HxiVi ■ V2). It is clear that, similar to the analysis of Proposition IB . 1 1 and Proposition IB. 21 the distri- 
bution of (V/,F20, for both / G {A,B}, is identical to that of {Ui,U2) for OAKE (resp., (V/,[/2) for 
sOAKE) in the random oracle model, where Ui,i £ {1,2} is taken uniformly at random from G \ Iq- 
That is, {V/ ,V2) are strongly perfect non-malleably independent for OAKE (resp., generally perfect 
non-malleably independent for sOAKE). Thus, both OAKE and sOAKE enjoy session-key computa- 
tional fairness. 

For (H)MQV and any complete session-tag Tag, the dominant operation values specified for the 
player A (resp., B) are = Y''+'^ G G and = G G (resp., Vf = X^^"* and = 

j^d{y+eb)-^^ where d = h{X,B),e = h{Y,A) for HMQV (resp., d = 2^ + {X mod 2') and e = 2^ + {Y 
mod 2') for MQV). The function Fx is specified to be F/<(Vi, V2, str) = Hk{Vi-V2). Our concrete EDA 
attacks presented in Section [4.21 demonstrate that both MQV and HMQV do not satisfy computational 
fairness. Specifically, consider the following specific relations (corresponding to the two specific cases of 
our attack): (1) R{Vi,V2, Tag) = 1 iff • ^2 = 1g; (2) R{Vi,V2,Tag) = 1 iff • ^2 = YB^, where YB"" 
can be publicly computed from the session-tag Tag. For all these specific relations, there exist complete 
session-tags Tag (corresponding to the sessions caused by the EDA attacks presented in Section 14. 2p 
such that FiiR{V^^, , Tag) = !] = !, while Pr[i?([/i, ?72, Ta^) = 1] = 1 or VT\R{y^ , U2,Tag) = 1] = 1 
or Vt[R{Ui, ¥2^, Tag) = 1] = 1 is always negligible w.r.t. these specific relations (as each of the values 
of Ui-U2, Vx ■ and \J\ ■ V-{^ is distributed uniformly over G\1g)- □ 

Remark: By the session-key computational fairness property of (s)OAKE, the session-key com- 
putation involves two non-malleably independent values A'^y and X'^^'^^y no matter how a malicious 
B does (i.e., B is infeasible to make the values A'^y and X'^^'^'^y correlated under any predetermined 
polynomial-time computable relation). If we view each non-malleably independent exponentiation value 
as a proof-of-knowledge of the corresponding exponent, then to compute the session-key any PPT player 
has to "know" both cy and db + ey, from which both the static secret-key b and the ephemeral DH- 
exponent y can be efficiently derived. In this sense, the session- key computation of (s)OAKE itself 
can be viewed as a non-malleable join proof-of-knowledge of both b and y. This further implies that a 
malicious player is infeasible to set the session-key to some values that can be publicly computed from 
the session transcript. 

Comparisons with the fairness notions in secure multi-party computation (SMC). The 

notion of "fairness" was intensively studied in the literature of secure multi-party computation (see [28] 
for an overview of the various fairness notions considered in SMC). Informally speaking, a protocol 
is fair if either all the parties learn the output of the function, or no party learns anything (about 
the output). This property is also referred to as "complete fairness" (along with many variants), 
which mainly deals with prematurely adversarial aborting. To bypass some impossibility results on 
achieving fair SMC protocols with a majority of corrupted players, the work [26] introduced the notion 
of "resource fair SMC" . The resource fairness considered in [26] is still a variant of "complete fairness" . 
Specifically, the "resource fairness" [26] captures "fairness through gradual release". Here, protocols 
using gradual release consist of a "computation" phase, where some computation is carried out, followed 
by a "revealing" phase, where the parties gradually release their private information towards learning 
the protocol output. Then, roughly speaking, resource fairness requires that the honest players and the 
adversary run essentially the same number of steps in order to obtain protocol output. 

Casting "fairness through gradual release" into DHKE, it means that: players A and B gradually 
release their DH-exponents X and Y in sequential steps, so that both parties can output the session-key 
or both cannot. Clearly, the notions of "complete fairness" and "resource fairness" considered in the 



literature of SMC are significantly different from the session-key computational fairness formulated and 
considered in this work. Specifically, we assume both parties honestly send their DH-exponents, and 
computational fairness is about the session- key computation complexity. That is, our computational 
fairness is to capture the fairness between non-aborting players in computing session-key outputs (i.e., if 
both players do not abort, they should invest essentially the same computational resources in computing 
the session-key output), while "complete fairness" and its variant in the literature of SMC mainly deal 
with prematurely adversarial aborting. Also, the resource fairness considered in |26j is relative to 
experiment in which the protocol is run or the protocol needs to be aware of the computational power 
of the adversary (up to a constant) [26] . 

F.l On Fixing HMQV to Achieve Computational Fairness 

In [21 [1], we proposed some variants of (H)MQV, just in the spirit of (s)OAKE and NMJPOK to prevent 
our EDA attacks and to render the property of session-key computational fairness. The key point is 
to put A (resp., B) into the input of d (resp., e). Specifically, we have the following fixing approaches, 
by setting (1) d = h{X,B,A) and e = h{Y,A,B); or (2) d = h{A,A,B,B,X,Y) and e = h{d); or 
(3) d = h{A, A, X) and e = h{B, B,Y), etc. Other components remain unchanged. For the above 
third fixing solution, in order to get only one exponentiation online efficiency, we can make some further 
modifications by setting = (ye^)^'^+", = {X'^A)y'=+\ where d = h{A, A, X) and e = h{B, B, Y); 
The session-key is still K = Hk{K^ = Hk{K^). For presentation simplicity, we refer to this solution 
as the fourth fixing solution (this protocol variant is named as OAKE-MQV in [21 [1] ) . 

Unfortunately, we failed in providing the provable security for any of the above HMQV variants in 
the CK-framework. In particular, we do not know how to extend the security proof of HMQV in [37] 
to any of the above four fixing solutions. Indeed, HMQV was very carefully designed to enjoy provable 
security in the CK-framework. Below, we present some concrete obstacles in extending the proof of 
HMQV [33 to these HMQV variants. But, there can be more obstacles. 

• For the first and the second solutions, we note that the proof of HMQV for the case oi A = B 
(specifically, the proof of Lemma 24 in Section 6.3) fails. The underlying reason is: the inputs of d 
and the inputs of e share some common values, such that in the repeated experiment of redefining 
e the value d will also be changed. 

• For the third and the fourth solutions, we do not know how to extend the proofs of Lemma 11 
(to be more precise, Case-3 of Claim 13), Lemma 17 and Lemma 29 to these two solutions. The 
underlying reason is: the messages to be signed by the signer B by the underlying XCR or DCR 
signatures (defined in accordance with the third and the fourth solutions) are the fixed value 
(-B, B), while in HMQV the message to be signed is its peer's identity A that may be set by the 
adversary. In addition, for the fourth solution, the proof of Lemma 27 also fails. The underlying 
reason is about the order of d and e in order to compute the value X'^ . Also, the third and the 
fourth solutions have the following disadvantage that, in case the intermediate private value y + eb 
(computed by i? in a session) is leaked, this leaked value allows an adversary to impersonate B 
in any other sessions (no matter what the values {X, A) are) . 

Besides lacking provable security in the CK-framework, many other advantageous features enjoyed 
by (s)OAKE (as clarified in Section Uj) are also lost with the above fixing solutions. To the best of 
our knowledge, we do not know how to achieve, besides the OAKE family, implicitly authenticated 
DHKE protocols that enjoy all the following properties: (1) provable security in the CK-framework; 
(2) online optimal efficiency and/or reasonable deniability; (3) session- key computational fairness. The 
surrounding issues are quite subtle and tricky, and indeed (s)OAKE was very carefully designed to 
achieve all these features (and much more as clarified in Section |4|) . 



G Security Analysis of (s)OAKE in the CK- Framework 



One of main conceptual contributions of the analysis of HMQV in the CK-framework [S^ is to cast the 
design of HMQV in terms of Hashed Dual challenge-Response (HDR) signatures and Hashed Challenge- 
Response (HCR) signatures, which are in turn based on Dual Challenge- Response (DCR) signatures and 
exponential Challenge-Response (XCR) signatures and can be traced back to Schnorr's identification 
scheme [53]. We show that OAKE and sOAKE all can be casted in terms of HDR signatures. Moreover, 
the HDR signatures implied by the (s)OAKE protocols, referred to as OAKE-HDR and sOAKE-HDR, 
are both online efficient and strongly secure. This provides extra security strength of the underlying 
building tools, say SSJOPK and sSSJPOK, used in (s)OAKE. To this end, we first demonstrate a 
divided forking lemma with a new family of signature schemes, which may itself be of independent 
interest. 

G.l A New Family of Signature Schemes, and Divided Forking Lemma 

Notation note: For presentation simplicity, in this subsection, we a bit abuse the notations of 
a, c,d, e, f, k, s, z, p,C, which are different from the notations used outside this subsection. 

A common paradigm, known as the Fiat-Shamir paradigm [24] , of obtaining signatures is to collapse 
a 3-round public-coin honest- verifier zero-knowledge, known as S-protocol, into a non-interactive scheme 
with hash functions that are modeled to be random oracles [9]. 

Definition G.l (S-protocol [16| ) A three-round public- coin protocol {P,V) is said to be a T,-protocol 
for an AfV -relation TZ if the following hold: 

• Completeness. If P, V follow the protocol, the verifier always accepts. 

• Special soundness. From any common input U of length n and any pair of accepting conversations 
on input U, (a, e, z) and (a, e', z') where e ^ e' , one can efficiently compute w such that (U, w) (zTZ 
with overwhelming probability. Here a, e, z stand for the first, the second and the third message 
respectively and e is assumed to be a string of length I ( that is polynomially related to n) selected 
uniformly at random in {0, 1}'. 

• Perfect/statistical SHVZK (special honest verifier zero-knowledge). There exists a probabilistic 
polynomial-time (PPT) simulator S, which on input U (where there exists an MV -witness w such 
that {U,w) & TZ) and a random challenge string e, outputs an accepting conversation of the form 
{a,e,z), with the same probability distribution as that of the real conversation {a,e,z) between the 
honest P{w), V on input U. 

The first S-protocol (for an A/'P-language) in the literature can be traced back to the honest verifier 
zero-knowledge (HVZK) protocol for Graph Isomorphism [27] (but the name of S-protocol is adopted 
much later in [16]), and a large number of S-protocols for various languages have been developed now. 
S-protocols have been proved to be a very powerful cryptographic tool, and are widely used in numerous 
important cryptographic applications. Below, we briefly recall the S-protocol examples for DLP and 
RSA. 

S-Protocol for DLP ^54j . The following is a S-protocol {P,V) proposed by Schnorr [5l] for 
proving the knowledge of discrete logarithm, w, for a common input of the form (p, q, g, U) such that 
U = g^ mod p, where p, q are primes g is an element in Z* of order q. Normally, the length of q, \q\, is 
denoted as the security parameter. 

• P chooses r at random in Zq and sends a = g'^ mod pioV. 

• V chooses a challenge e at random in Z21 and sends it to P. Here, I is fixed such that 2' < q. 

• P sends z = r + ew mod qtoV, who checks that g^ = alJ^ mod p, that p, q are prime and that 
g, h are of order q, and accepts iff this is the case. 



S-Protocol for RSA [31| . Let n be an RSA modulus and g be a prime. Assume we are given 
some element y S Z* , and P knows an element w such that w'^ = y mod n. The following protocol is 
a S-protocol for proving the knowledge of q-th roots modulo n. 

• P chooses r at random in Z* and sends a = r'^ mod n to V . 

• V chooses a challenge e at random in Z21 and sends it to P. Here, / is fixed such that 2' < q. 

• P sends z = rw^ mod n to V , who checks that z*^ = ay^ mod n, that g is a prime, that gcd{a, n) = 
gcd{y,n) = 1, and accepts iff this is the case. 

The Fiat-Shamir paradigm and its provable security. Given any S-protocol (a, e, z) on 
common input U (which will be viewed as signing public-key), the Fiat-Shamir paradigm collapse the 
E-protocol into a signature scheme as follows: (a, e = h{a, m), z), where m is the message to be signed 
and /i is a hash function. Note in actual signature scheme with the Fiat-Shamir paradigm, the generated 
signature only consists of (e, z) as the value a can be computed from (e,z). The provable security of 
the general Fiat-Shamir paradigm is shown by Pointcheval and Stern [53] in the random oracle model 
(assuming h to be an idealized random function). The core of the security arguments of Pointcheval 
and Stern |53j is a forking lemma. 

On- line/ ofF- line signature. The notion of on-line/off-line signature is introduced in [23]. The idea 
is to perform signature generation into two phases: the off-line phase and the on-line phase. On-line/off- 
line signature schemes are useful, since in many applications the signer (e.g., a smart-card) has a very 
limited response time once the message is presented (but it can carry out costly computations between 
consecutive signing requests). The on-line phase is typically very fast, and hence can be executed even 
on a weak processor. On- line/off- line signature schemes are particularly remarkable in smart-card based 
applications [55]: the off-line phase can be implemented either during the card manufacturing process 
or as a background computation whenever the card is connected to power. 

Note that for signature schemes obtained via the Fiat-Shamir scheme, the signer can pre-compute 
and store a list of values (a = g^,r). Then, to sign a message m, it simply computes e = h{a,m) and 
z. With Schnorr's signature as an illustrative example, in this case, the signer only needs to perform 
z = r + h{m, a)w online, where a = g^ and r are offline pre-computed and stored. Some general 
transformation from any signature scheme to secure off- line/off- line signature scheme are know (e.g., 
\23\ I55|). but typically are not as efficient (for both computational complexity and space complexity of 
the signer) as the signature resultant directly via the Fiat-Shamir paradigm. 

The Digital Signature Standard (DSS). The DSS scheme [25] is a variant of Schnorr's signature 
|54| via the Fiat-Shamir paradigm. The general structure of DSS is as follows: 

• Public-key: U = g'^ (z G' , where w ^ Z*. Typically, w is a 160-bit prime. 

• Secret-key: w. 

• Signature generation: Let m € {0, 1}* be the message to be signed. 

1. Compute a = g'' mod p, where r is taken randomly from Zq. Compute d = f{a), where 
f : G' ^ Z* is a conversion function. 

Typically, for DSS with G' = Z*, / is just the "mod operation; for DSS with G' being 
some elliptic curve group over a finite field (i.e., a stands for an elliptic curve point {x,y)), 
f{a) is to take the x-coordinate of a. 

2. Compute s from the equation h{m) = sr — dw mod q, as follows: 

— Compute r = r~^. 

— Compute s = {h{m) + dw)f, or s = h{m)r + dwf with offline pre-computed dwr, where 
/i is a hash function. 

3. Output {d, s) as the signature. 



• Signature verification: Given (e = h{m),d, s) where d,s S Z*, the verifier verifies the signature as 
follows: 

— Compute s = s~^. 

— Verify /{g^'^U'^^) = d, where e = h{m). 

Recall that in the DSS scheme, the signature is generated as: {d, s = er~^ + dwr~^), where e = h{m), 
d = f{a) and a = g^', w is the secret-key. In general, the conversion f : G' ^ Z* also can be viewed as 
RO. Observe that the value m (i.e., the message to be signed) and the value a = g^' are not put into 
the input of a single RO in the DSS scheme, contrary to signature schemes via the Fiat-Shamir scheme 
where (m, a) is put into the single RO h. The separation of m and a in the inputs of ROs and the way 
of signature generation of DSS bring the following advantage to DSS. 

Specifically, the signer can pre-compute a list of values a's (just as in signature schemes via the 
Fiat-Shamir paradigm), but contrary to signature schemes via the Fiat-Shamir paradigm, the signer of 
DSS does not need to store these pre-computed values. Specifically, for each pre-computed value a = g^ , 
the DSS signer can off-line compute d = f{a), and dwr~^ , and only stores {d,r~^ ,dwr~^) (note 
that it is unreasonable to assume the message to be signed is always known beforehand). Actually, for 
smart-card based applications, the values {d,r~^,dwr~^) 's can be stored during the card manufacturing 
process. Note that d^r"^ ^dwr~^ € Zq while a € G' . Suppose G' = Z* (where p is typically of 1024 bits 
while q is of 160 bits) and the signer pre-computes k values of a, then in comparison with Schnorr's 
signature scheme the space complexity (of storing pre-computed values) is reduced from [\p\ + \q\)k to 
'i\q\k. But, we remark that for implementations of DSS based on elliptic curves, such an advantage is 
insignificant. 

Challenge-divided S-protocols and challenge-divided Fiat-Shamir paradigm. Next, we 
show a modified Fiat-Shamir paradigm, named challenge- divided Fiat-Shamir paradigm, that is appli- 
cable to a variant of S-protocol with divided random challenges (that is referred to as challenge- divided 
S-protocol). Below, we first describe the challenge-divided S-protocols for DLP and RSA. 

Challenge-divided S-Protocol for DLP. The common input is the same as that of Schnorr's 
protocol for DLP: (p, q, g, U) such that U = g^ mod p. 

• P chooses r at random in Zq and sends a = g"^ mod p ioV . 

• V chooses a pair of challenges d, e at random in Z21 x Z21 and sends {d, e) to P. Here, I is fixed 
such that 2' < q. 

• P sends z = er -\- dw mod q (resp., z = dr -\- ew) to V, who checks that g^ = a^W^ mod p (resp., 
gz _ g^djje jj^Qd that p, q are prime and that g, h are of order q, and accepts iff this is the case. 

Challenge-divided S-Protocol for RSA. Let n be an RSA modulus and q be a prime. The 
common input is (n, q, y), and the private input is w such that y = w'^ mod n. 

• P chooses r at random in Z* and sends a = r*^ mod n to V. 

• V chooses a pair of challenges d, e at random in Z21 x Z21 and sends (d, e) to P. Here, I is fixed 
such that 2' < 

• P sends z = r'^w^ mod n (resp., z = r^w^ mod n) to V , who checks that z'^ = a'^y^ mod n 
(resp., z'^ = a'^y'^ mod n), that g is a prime, that gcd{a,n) = gcd{y,n) = 1, and accepts iff this is 
the case. 

The challenge-divided Fiat-Shamir paradigm for challenge-divided E-protocols. Let F 

be a one-way function (OWF) admitting challenge-divided S-protocols, i.e., the range of the OWF has 
a challenge-divided S-protocol for proving the knowledge of the corresponding preimage w.r.t. the MV- 
relation {(U,w)\U = F{w)}. Let the random challenge be of length Len. Denote by d,e the (divided) 



random challenges, and let U = F{w) be signer's public-key and w the secret-key. To sign a message 
m, the signer computes a, d = f{a), e = h{m), and z, and then outputs {d, z) as the signature on m, 
where h and / are conversion functions from {0, 1}* to {0, 1}^"^". In security analysis in the RO model, 
we assume both h and / are hash functions that are modeled to be random oracles. 

Challenge- divided Schnorr signature scheme. With Schnorr's S-protocol for DLP as an il- 
lustrative instance, the transformed signature via the above challenge-divided Fiat-Shamir paradigm is 
called challenge- divided Schnorr signature. Note that for signatures from the above challenge-divided 
Schnorr's S-protocol for DLP, we have that / = / and h = h are conversion functions from {0, 1}* to 
Z*. In practice, / can simply be the "mod g" operation for G' = Z* or the operation of taking in- 
put's x-coordinate when G' is some elliptic curve group over a finite field. In the following, we directly 
describe the online/offline version of challenge-divided Schnorr's signature. 

• Pubhc-key: U = g~'^ G G', where w ^ Z*. 

• Secret-key: w. 

• Message to be signed: m. 

• Offline pre-computation: the signer pre-computes and stores {r,d,dw) (resp., {d,rd)), where r is 
taken randomly by the signer from Z*, a = , d = f{a). The signature verifier can pre-compute 
e = h{m) and e = e~^, in case it knows m before receiving the signature. 

• Online signature generation: After receiving the message m to be signed, the signer computes 
e = h{m), retrieves the pre-stored value {r,d,dw) (resp., {d,dr)), and computes z = er -\- div 
(resp., z = dr + ew). The signer outputs (d, z) as the signature on m. 

• Signature verification: given a signature (e = h(m),d, z) where d,z € Z*, check that d,z & Z* 

and fig^'^U'^'^) = d (resp., /{g^'^U'^'^) = d), where e = (resp., d = d~^). Note that e = e^^ 
can be offline pre-computed by the verifier, in case it knows the message m before receiving the 
signature. 

Theorem G.l Assuming h, f : {0, 1}* — > {0, l}^/{0} C Z* are random oracles where I is the security 
parameter (for presentation simplicity, we assume the range of ROs is {0,1}' rather than {0, l}'/{0}j, 
the challenge- divided Schnorr scheme is existentially unforgeable against adaptive chosen message at- 
tacks under the DLP assumption. 

Proof. We mainly provide the proof for challenge-divided Schnorr with z = er + dw, the proof for the 
case oi z = dr + ew is similar. 

Given a polynomial-time and successful forger i.e., F successfully outputs (after polynomially 
many adaptively chosen queries to the signing oracle and random oracles), with non- negligible proba- 
bility in polynomial-time, a valid signature on a new message that is different from those queried to the 
signing oracle, we build an efficient solver C for the DLP problem, namely, C gets as input a random 
element U = g~'^ in G and outputs the corresponding discrete logarithm w also with non-negligible 
probability. For presentation simplicity, we assume the random oracles h, f are identical, namely we 
use the unique RO h to handle all RO queries e = h{m) and d = h{a). The algorithm C is presented in 
Figure [H 

For the description of C in Figure [H suppose J- makes Q RO queries and R signing oracle queries 
(where Q and R are some polynomials in the security parameter Z), we have the following proposition: 

Proposition G.l With probability at most {RQ -\- R? /2)/{q — 1) (that is negligible), C fails in one of 
Step S3 of signature simulations (note that, assuming T never fails at Step S3 in signature simulations, 
the signature simulations are perfect). C fails at Step F3 with probability at most {2Q + 3)2~^ 



Building the DLP solver C from the challenge-divided Schnorr forger T 

Setup: The input to C is a random clement U = g^"' in G, and its goal is to compute w. To this end, C 
provides J- with a random tape, and runs the forger J- as the challenge-divided Schnorr signer of public-key 
U. 

RO queries: C provides random answers to queries to the random oracle h, under the limitation that if 
the same h query is presented more than once, C answers it with the same response as in the first time. 
Signature query simulation: Each time F queries the signing oracle for a challenge-divided Schnorr 
signature on message rrii, 1 < i < R, chosen by J- adaptively, where denotes the message in the i-th 
query, C answers the query as follows (note that C does not know the secret-key w corresponding to the 
public-key U = g^): 

51. Chooses Zi Sr Z* and di Gr {0, 1}' C Z* where / is the output length of the RO h. If h{m) has been 

defined by previous query to h, then sets = h{m), otherwise chooses Gr {0,1}' and defines 
h{m) = Ci. 

52. Computes a; = _g^-^"'f7''-^"\ 

53. If h{ai) has been previously defined, C aborts its run and outputs "fail". Otherwise, sets h{ai) — di. 

Recall that, for presentation simplicity, we have assumed f = h. 

54. C responds to J-^s signing query with the simulated signature {di, Zi). 
When T halts, C checks whether the following conditions hold: 

Fl. J- outputs (rn,d,z) such that {d, z) is a valid signature on m. That is, d, z are in Z*, e = h{m) 
a = 5^^="' and d = h{a). 

F2. m was not queried by T to the signing oracle previously, i.e., m ^ m,; for alH, 1 < i < R. 

F3. The values h{m) and h{a) were queried from the RO h. 

If these three conditions hold, C proceeds to the "repeat experiments" below; in all other cases C halts and 
outputs "fail". 

The repeat experiments. C runs T again for a second time, under the same public-key U and using the 
same coins for J-. There are two cases according to the order of the RO queries of h{m) and h(a): 

CI. h{m) posterior to h(a): C rewinds J- to the point of making the RO query him), responds back a 
new independent value e' Sr {0,1}'. All subsequent actions of C (including random answers to 
subsequent RO queries) are independent of the first run. If in this repeated run F outputs a valid 
signature {d,z') for the message m, i.e., e' = h{m), d ~ h{a) and a ^ g^ U'^'^ , C computes 
w = {z'e'~^ — ze~^) / {de'~^ — de~^) mod q. 

C2. h{a) posterior to h(rn): C rewinds J- to the point of making the RO query h(a), responds back a 
new independent value d' Gr {0, 1}'. All subsequent actions of C (including random answers to 
subsequent RO queries) are independent of the first run. If in this repeated run T outputs a valid 
signature {d',z') for the message m, i.e., e = h{m), d' = h{a) and a ~ g^ U^^ , C computes 
w = {z' — z)/ {d' — d) mod q. 



Figure 4: Reduction from DLP to challenge-divided Schnorr forgeries 



Proof (of Proposition of lG.ip . It is easy to check that suppose C never fails at Step S3, the signature 
simulations by C are of identical distribution with that of real signatures by using the secret-key w. 

Next, we limit the upper-bound of Step S3 failure. Note that for each generated by C at Step S2, 
it is distributed uniformly in G \ Iq- In the RO model, there are two cases for C fails at Step S3: 

Case 1. For some i, 1 < i < R, J- ever successfully guessed the value in one of its Q random 
oracle queries. Thus, the probability that C fails in Case 1 is at most RQ/{q — 1). 

Case 2. For some i, 1 < i < R, the value has ever been generated in dealing with the j-th signing 
oracle query, j < i. The probability that C fails in Case 2 is at most C^/ — 1) < (-R^/2) /(g — 1), where 
C\ is the combination number of selecting two elements from a set of R elements. 

Finally, it is easy to check that C fails at Step F3 with probability at most (2Q -|-3)2~'. To see this, 
first note that there are two possibilities for T to output d = h{a) without making RO query with a: 
(1) J- directly guesses the value d = h{a), which occurs with probability 2~^. (2) The value d = h{a) 
collides with some other values from the RO answers (i.e., h{a) = h{a') for some a' queried by J- to 
RO). As F makes at most Q RO queries, the latter case can occur with probability at most Q2~K 
Thus, with probability at least 1 — {Q + 1)2~', F knows a (i.e., queries the RO with a). Note that from 

(a, d, z) the value loga ^ is (which should be equal to h{m) = e) is then determined. Conditioned on 

this, the probability e = h{m) = loga is 2^', as e is distributed uniformly over {0,1}'. Thus, J" does 
not query h{m) with probability at most (Q + 1)2"' + {I - {Q + 1)2"') • 2"' <{Q + 2)- 2'K □ 
Thus, suppose the forger F succeeds (i.e., outputs a valid signature {d^z) for a new message m 
different from those queried) with non-negligible probability in its real attack against the signer of 
public-key ?7, F succeeds in the first run of C in Figure H] also with non-negligible probability (up 
to a gap at most {QR + R? /2)/{q — 1)). Then, with non-negligible probability (with a gap at most 
{QR + R^ /2) / {q — 1) -|- (2(5-|-3)2~' to the success probability of F in its real attack), C does the repeated 
second run. 

For presentation simplicity, we write the signature of challenge-divided Schnorr on a message m as 
(m, e = h{m),a,d = h{a),z). Note that given a pair of different signatures on the same m (and a): 
{(m, e, a, d, z), {m, e' ,a, d, z')} that corresponds to Case CI in Figured! or, {(m, e, a, d, z), (m, e, a, d' , z')} 
that corresponds to Case C2 in Figure (H the value w computed by C is correct. Thus, to finish the 
theorem, what left is to show that conditioned F succeeds in outputting the valid (m, e, a, d, z) in 
the first run of C, with non-negligible probability F will also succeed in Case CI or Case C2 of the 
repeated second run. We note that this can be shown by a straightforwardly extended version of the 
Pointcheval-Stern forking lemma [53] (that was originally developed to argue the security of digital 
signature schemes via the Fiat-Shamir paradigm). For completeness, we reproduce the forking lemma 
tailored for signature schemes via the challenge-divided Fiat-Shamir paradigm, referred to as divided 
forking lemma. 

Suppose F produces, with probability e', a valid signature {m,e,a,d, z), within the time bound T 
in its real attack against the signer of public-key U, then with probability at least e = (e' — {QR + 
R^ /2)/{q — 1) — {2Q + 3)2~')/2 F outputs a valid signature (m, e, a, d, z) in the first run of C described 
in Figure [4] such that F made both h{m) = e and h{a) = d queries to the RO with the order of h{m) 
being posterior to h{a) or the order of h{a) being posterior to h{m). Without loss of generality, we 
assume it is the former case, i.e., the RO query h{m) is posterior to h{a) (the analysis of the case of 
h{a) being posterior to h{m) is similar). We have the following lemma, from which the theorem is then 
established. 

Lemma G.l (divided forking lemma) Suppose F produces, with probability e, a valid signature 
(m, e, a, d, z) within the time bound T in the first run ofC such that F made both h{m) = e and h{a) = d 
RO queries with the order h{m) being posterior to h{a), then within time T' < {2/e + {e/AQ — 2~^)~^)-T 
and with probability at least |, a replay of F outputs a valid signature {m,e' ,a,d, z') for e' ^ e. 

Proof (of Lemma iG.ip . The proof of Lemma [G. II is essentially identical to that of Lemma 2 in [53], 
which we re-produce here for completeness. We mention that, as in [53], although the divided forking 
lemma is presented here w.r.t. the challenge-divided Schnorr's signature (based on the challenge-divided 



Schnorr's S-protocol for DLP), it can be directly extended and applied to signatures derived from other 
challenge-divided S-protocols. 

Denote by uj the random tape of T, and assume T makes at most Q RO queries Qi , • • • , Qq (for 
presentation simplicity, we assume all RO queries are distinct), and denote by p = (pi,-- - , pq) the 
Q RO answers. It is clear a random choice of the random function h (i.e., the RO) corresponds to a 
random choice of p. 

Define S to be the set of {ui,h) such that outputs a valid signature {m,e,a,d, z) in the first 

run of C, such that made both h{m) and h{a) RO queries with the order of h{m) being posterior to 
h{a). That is, Pr[5] = e. Define Ind{uj,h) to be the index of the RO query h{m), i.e., m = Qind{w,h)- 
Define Si be the subset of S such that Ind{uj,h) = i for 1 < i < Q. That is, the set ,Sq} 
is a partition of S. Define / = {i|Pr[5j|5] > 1/2Q}, i.e., Pr[5j|z G /] > e/2Q. For each i G /, 
define by hi the restriction of h to queries of index strictly less than i, they by applying the Splitting 
Lemma (Lemma 1, page 12 in [53]), there exists a subset (of S) such that: (1) for any {u!,h) € fij, 
Pr/j/[(w, /i') € Si\h'- = hi] > e/4Q; (2) Pr[r2j|5j] > ^. As all the subsets Si are disjoint, it is calculated 
that PTaj,h[^i{uj,h) G n5i|5] > I (for more details, the reader is referred to |53|). 

By the Lemma 3 (page 14) in [53], we get Pv[Ind{uj,h) G I\S] > ^. Now, run 2/e times with 
random u and h, with probability 1 — (1 — e)^/^ > | we get one successful pair {uj, h) G S. Denote by 
/3 the index Ind{uj, h) corresponding to the successful pair. We know with probability at least |, G I 
and [io, h) G Spf^Q-i^. Consequently, with probability at least |, the 2/e runs have provided a successful 
pair (w, /i) G 5/3 n where /? = Ind{uj, h). As Pr/,/[((x!, h') G ^/jj/i^ = hp] > e/4(5 in this case, we get 
Pr/j/[(a;, h') ^ Sp /\ pp ^ P'pWp = hp] > e/AQ — 2~\ where pp = h{Qp) and p^ = h'{Qp). Now, we replay 
with fixed uj but randomly chose h' such that /i^ = hp, for {e/^Q — 2^')^-*^ times, with probability 
at least |, we will get another success. That is, after less than 2/e + (e/4(5 — 2"^)~^ repetitions of J^'s 
attack, with probability at lease | x | > i, we have obtained two valid signatures {m,e,a,d,z) and 
(m, e', a, d, z') for e ^ e' . □ □ 

Challenge-divided Schnorr vs. DSS. We note all performance advantages of DSS (recalled in 
Appendix [G|) are essentially preserved with the challenge-divided Schnorr scheme. We also note the 
techniques proposed in j47j for improving the performance of DSS in certain scenarios, e.g., signature 
batch verification and compression, etc, are also applicable to challenge-divided Schnorr. In addition, 
challenge-divided Schnorr has the following advantages over DSS: 

• Same or better offline space complexity than DSS (much better than Schnorr scheme for imple- 
mentation based Z*. Suppose k values of a's are pre-computed, the offline space complexity of 
challenge-divided Schnorr with z = er + dw is 3k\q\ (which is the same as that of DSS); But, for 
challenge-divided Schnorr with z = dr + ew, the offline space complexity is only 2/c|(7|. 

Note that, for Schnorr signature scheme, suppose G' = Z* (where p is typically of 1024 bits while 
q is of 160 bits) and the signer pre-computes k values of a, then in Schnorr's signature scheme the 
space complexity (of storing pre-computed values) is {\p\ + \q\)k. 

• More efficient signature generation in total. To compute the value s in the DSS-signature (recalled 
in Appendix [G]). the signer of DSS performs 1 modular inverse (i.e., r = r^^) and 2 modular 
multiplications in total. In comparison, to compute the value z in the challenge-divided Schnorr 
signature, the signer only performs 2 modular multiplications in total (without performing the 
modular inverse operation). We remark that modular inverse is a relatively expensive operation 
(which is typically performed by the Euclid algorithm), and is thus much preferable to dispense 
with (particularly for smart-card-based deployment). 

• More efficient offline pre-computation. Besides the same other pre-computations, the signer of 
DSS needs to perform 1 modular inverse and 2 modular multiplications for computing dwr~^ , 
but the signer of challenge-divided Schnorr needs to offline perform only 1 modular multiplication 
dw or dr. 

• More efflcient online signature verification (for the case of z = er + dw). For verifying a DSS- 
signature {d, s), the verifier has to compute s = online (which is a relatively expensive opera- 
tion), as the value s is known to the verifier only when the signature comes to it. In comparison. 



for verification of challenge-divided Schnorr with z = er + dw, the verifier only needs to compute 
the inverse e = where e = h{m). In case the verifier learns the message to be signed prior to 
receiving the signature from the signer (which is quite common in certain scenarios), the values 
e and e"^ can both be offline pre-computed by the verifier of challenge-divided Schnorr. For 
challenge-divided Schnorr with z = dr -\- ew, signature verification is of the same computational 
complexity as that of DSS. 
• Provable security in the random oracle model. We show that, assuming both h and / are random 
oracles, the challenge-divided Schnorr scheme is existentially unforgeable against adaptive chosen 
message attacks |29j under the DLP assumption in the RO model. 

Challenge-divided Schnorr vs. Schnorr. For implementations of challenge-divided Schnorr and 
Schnorr based over order q subgroups of Z*, where p is typically of 1024 bits and q is of about 160 
bits, similar to DSS in this case, challenge-divided Schnorr enjoys much better offline space efficiency 
than Schnorr. However, for elliptic curve based implementations of both challenge-divided Schnorr and 
Schnorr, such offline space efficiency advantage disappears. As mentioned, the introduction of challenge- 
divided Schnorr is mainly to introduce the divided forking lemma to be used in the analysis of (s)OAKE 
in the CK-framework. 

G.2 Casting (s)OAKE in Terms of Online Efficient and Strongly Secure HDR 
Signatures 

Informally speaking, a HDR signature scheme is an interactive signature scheme between two parties in 
the public-key model. The two parties generate the same signature, which is actually a hashed value of 
the DH-secret shared between the two parties, with the dual roles of signer and challenger: each party 
generates the signature with private values of its static secret-key and the secret DH-exponent with 
respect to its peer's DH-component and public-key as the challenges. With a HDR signature, we are 
only interested to ensure verifiability of the signature by the two intended parties, and thus we make 
no assumptions or requirements regarding the transferability or verifiability of the signature by a third 
party. Roughly speaking, a HDR signature scheme is secure if the signature cannot be generated by 
any other parties other than the two intended (honest) parties. 

Definition G.2 ((s)OAKE-HDR signature schemes) Let A, B be two parties with public-keys 
A = g"" , B = g^ , respectively. Let m^, ruj^ be two messages. The OAKE-HDR, sOAKE-HDR signa- 
tures of B on messages {m^,m^, A, A, B , B, X,Y) are defined as a vector of values (the signatures of 
A are defined straightforwardly) : 

OAKE-HDR. {A,A,m^,m^,X,Y,HSLG^'^^^{m^,m^,X,Y) = HKiAy''X'"^+y'')}, where X = g"" , 

Y = gy are chosen by A, B respectively as the random challenge and response, x^y Gr Z*, 
c = h{mj^,A,A,Y), d = h{m^,B,B,X) and e = h{X,Y). 

Another form of OAKE-HDR is to set c = h{A,A,Y), d = h{B,B,X) and e = h{m^,m^, X,Y). 
Both of these two versions are secure. 

sOAKE-HDR. {i. A, m^,m^,X, Y, HSLGf^^^{m^,m^,X, Y) = HK{Ay''X'"^+y'')} , where c = d = 
1, e = h{m^,m^,A,A,B,B,X,Y). 

Note that the online efficiency of (s) OAKE-HDR can be only one exponentiation for each player. In 
comparison, each player of HMQV-HDR performs about 1.3 online exponentiations. For presentation 
simplicity, in the above HDR signature description we assume the CA in the underlying PKI will check 
the membership G \ Ic of registered public-keys, and each player checks the membership G \ 1g of its 
peer's DH-component. These subgroup tests may not be necessary for the security of HDR in general, 
assuming no ephemeral private state is exposed, and thus can be relaxed in some scenarios (see [37l |45] 
for more details). 



(s)OAKE in a nutshell. Actually, the above OAKE-HDR/sOAKE-HDR can be viewed as a 
general structure of the (s)OAKE protocols. Specifically, OAKE and sOAKE are instantiated with 
OAKE-HDR and sOAKE-HDR respectively, with the special and m ^ that are set to be the empty 
string. In general, (resp., ni^) can include some values sent to A (resp., 13) from 13 (resp.. A), 
which does not affect the pre-computability of (s)OAKE. In particular, in practice with pre-computed 
and reused DH-components, (resp., m^) can include a random nonce generated and sent by 13 
(resp., A). 

In the following, we show the security of OAKE-HDR, sOAKE-HDR with off-line pre-computed 
DH-exponents, DH-components, and the values A^'^ or B^'^ (that may be potentially exposed to the 
forger even prior to the session involving these pre-computed values), on which the security of OAKE 
and sOAKE in the CK-framework will be based. In particular, we show that our OAKE-HDR and 
sOAKE-HDR satisfy a stronger security definition (than the definition given in [37]) in accordance with 
Definition [521 

On the strong security of HDR. The strong security of our definition for HDR lies in that: 

• We assume {y,Y,A'^y) are off-line pre-computed, and the forger can get them prior to the session 
run involving them. 

This particularly renders stronger capability to the attacker to perform colliding (birthday) attacks 
against the hash function h (that is of length \q\/2 for HMQV). To deal with this subtlety, the 
actual HMQV implementation needs some changes in practice (to be clarified later). 

• In the forging game defined in Figure [21 the successful forgery requires that the whole vector 
{A, A,mi,mo, Xq,Yo) did not appear in any of the responses of B to J^'s queries. The definition 
for the security of HCR in [37j only requires that the pair (yo,?Tio) did not appear in responses 
from the signer. As we shall see, the HMQV-HDR scheme may not be strongly secure in general. 

OAKE-HDR vs. HMQV-HDR. In [37], the HMQV-HDR (of B) is defined to be {X,Y, 
DSIGYl'^^{m^,m^,X,Y) = HK{{XA'^)y+^^)}, where d = h{m^,X), e = h{m^,Y). For building 

HMQV with HMQV-HDR, (resp., rn^) is set to be its peer's identity A (resp., B). The underlying 
HMQV-XCR-signature is defined to be X^"'"'"^, where e = h{mj^,Y). The following are some brief 
comparisons between OAKE-HDR and HMQV-HDR: 

• One notable advantageous feature of OAKE-HDR and sOAKE-HDR is the online efficiency. 
Specifically, the online efficiency of OAKE-HDR and sOAKE-HDR, for each player, can be only 
one exponentiation. In comparison, each player of HMQV-HDR performs about 1.3 online expo- 
nentiations. 

• As we shall see, the OAKE-HDR and sOAKE-HDR are strongly secure in accordance with Def- 
inition 15. 2i We note that the HMQV-XCR underlying HMQV-HDR is not strongly secure. For 
example, to forge a HMQV-XCR signature {X,Y,a = A^+^2^) on message m, where e = h(m,Y), 
the forger can first query the signer with (m. A' = A^), gets back {X',Y,a' = A"*^"^^), and then 
outputs (A, Y,a = cr'2 ) as the XCR signature on m. Note that the triple (A, Y, a) did not appear 
in any one of the responses from the HMQV-XCR signer 13. We note that one way to remedy this 
security vulnerability of HMQV-XCR is to commit X also to e by defining e = h{m, X,Y). 

• The security of OAKE-HDR/sOAKE-HDR against uncorrupted players other than the signer 
itself, with offline pre-computed (y, Y, A'^^) that can be exposable to the adversary even prior to 
the session involving {y,Y, A^^), is based on the gap Diffie-Hellman (GDH) assumption. 

The security of HMQV-HDR against uncorrupted players other than the signer itself, with offline 
pre-computed DH-component Y , is based on both the GDH assumption and the non-standard 
KEA assumption [T7], even if the pre-computed DH-exponent y is not exposable and only the 
pre-computed DH-component Y is exposable. Furthermore, for robust security of HMQV-HDR 



with pre-computed DH-components, when the number of messages in the system is large, HMQV- 
HDR needs to make the following modifications [37]: (1) Increase the output length, i.e., /, of the 
hash function h, e.g., from \q\/2 to \q\, which may bring negative impact on the performance of 
HMQV. (2) Add random nonces into the input of d and e, or, put the message to be signed also 
into Hx, which may increase the system complexity. 

• The generation of the sOAKE-HDR signature uses minimal (i.e., only one) random oracle (in 
computing the value of e). 

• The HMQV-HDR signature is actually an XCR signature w.r.t. the challenge XA'^. In compar- 
ison, OAKE-HDR and sOAKE-HDR in general cannot be viewed as a structure of XCR w.r.t. 
some challenge f{X,A) for some function /. 

• As we shall see, the special protocol structure of OAKE-HDR and sOAKE-HDR also much sim- 
plifies, in certain scenarios, the security analysis of OAKE and sOAKE in the CK-framework. 

Next, we show the strong security of OAKE-HDR, sOAKE-HDR under the Gap Diffie-Hellman 
(GDH) assumption in the random oracle model. 

Theorem G.2 Under the GDH assumption, OAKE-HDR and sOAKE-HDR signatures of B, with 
offline pre-computed and exposahle [y^Y^A'^y), are strongly secure in the random oracle model, with 
respect to any uncorrupted player other than the signer B itself even if the forger is given the private 
keys of all uncorrupted players in the system other than b of B 

Proof (of Theorem IG.2p . Given an efhcient and successful forger T against OAKE-HDR or sOAKE- 
HDR, i.e., J- wins the forgery game in Figure [2] with respect to some uncorrupted player A ^ B with 
non-negligible probability, we build an efficient solver C for GDH problem also with non-negligible 
probability. The algorithm C for OAKE-HDR is presented in Figure [3] (page \T2\i , and the algorithm C 
for sOAKE-HDR is presented in Figure [5] (page [38]) . 

For the description of C in Figure [H suppose T makes Qh RO queries to h, Qh queries to Hk, Qs 
signing oracle queries, where Qh, Qh, Qs are polynomial in the security parameter / (i.e., the output 
length of h). We have the following observations: 

• The signature simulation at steps S1-S3 is perfect. 

• Now, suppose T outputs a successful forgery (^, ^, mi, mo, ^O; '"o); which particularly implies 
that ro should be Hk{(Jo), where ao = ^J/ocox^'^o+^^o^o, Xq = U , Yq = gy\ cq = h{mi, A, A,Yo), 
do = h{mQ, B, B, Xq) and eo = H^Xq^Yq). We investigate the probability that C aborts at step 
F3. We have the following observations: 

— With probability at most ^izrj" + 2"^^ -|- Qh/'^^, ^ can succeed with undefined any one of 
{co,(io;eo}. Here, i^zi is the probability that T guesses do with undefined cq or do or eo, 

is the probability that T simply guesses the value tq, and QhI'^^ is the probability 
upper-bound that tq = Hk{(Jq) collides with some //j<--answers. 

— With defined cq and do and eo, there are two cases for T to succeed without querying Hxifyo): 
Case-1. T simply guesses the value ro. This probability is 2~^. 

Case-2. ro is the value r set by C at one of S3.1 steps, where r is supposed to be Hxicr) 
w.r.t. a stored vector (Z , Z,m^,m^, X,y,Y, Z^^ ,r). Recall that for the value r set at 
step S3.1, C does not know a (as it does not know b), and thus in this case both C 
and J- may not make the RO-query Hk{(Tq) = Hxic). In this case, by the birthday 
paradox with probability at least l-Qjj/2-\ ao = a, i.e., ^coyox^ob+eoyo ^ ^cyxdb+ey^ 
where c = h{m^, Z, Z, Y), d = h{m^, 13, B, X), e = h{X, y), cq = h{mi,A, A, Yo), do = 
h{mo,B,B,Xo), eo = h{Xo,Yo), and {mo,mi,A,A,B,B,Xo,Yo) / {m^,m,^, Z, Z, B, B, X,Y). 



By the NMJPOK and TBSS properties of OAKE, for any value cj G G \ 1g and any 
{mi,mo,A,A,B,B,Xo,Yo), the probability Pr[A^oyo x^°''+^°y° = a] < where Xq is 

the given random element in G\ 1g, A and B are uncorrupted players. This is true, even 
if the public-key A (resp., B) is removed from cq (resp., ^0)1 as the public-keys A and 
B are generated by the uncorrupted players A and B independently at random. Then, 
by straightforward calculation, we can get that J- succeeds in Case-2 with probability at 
most 0(2^ + ^^). 

Note: To rule out the possibility of Case-2, the analysis of HMQV-HCR requires the 
KEA assumption jl7j . Furthermore, to resist to birthday attacks in Case-2, some mod- 
ifications of HMQV are recommended in [3^: (1) increase the output length, i.e., /, of 
h, e.g., from \q\/2 to \q\. (2) Add random and fresh nonces (which cannot be offline 
pre-computed) to the input of h, or put the messages to be signed m^,m^ into the 
input of Hfc- 

— With probability at most > the query Hk{o-o) is prior to any one of the queries {cq, do; cq}. 

• It is easy to check that, in case the forger J-" successfully outputs another different forge satisfying 
the conditions F1-F3 in the repeat experiment CI or C2, the output of C is the correct value of 
CDH{Xq,B). 

The similar observations can be easily checked for the algorithm C for sOAKE-HDR described in Figure 
m Putting all together, we have that: suppose for some uncorrupted player A ^ B, the forger J- 
provides, with non-negligible probability, a successful forgery w.r.t. A in its real interactions with the 
signer of OAKE-HDR/sOAKE-HDR, then with also non- negligible probability (up to a negligible gap 
specified by the above observations) J- succeeds under the run of C. Then, by applying the forking 
lemma, specifically, the divided forking lemma (Lemma IG.ip for OAKE-HDR and the normal forking 
lemma of |53j for sOAKE-HDR, the theorem is established. □ 
On the role of putting players' public-keys into the inputs of c, d for OAKE-HDR and 
e for sOAKE-HDR. We remark that the players' public-keys in the inputs of c, d, e for OAKE- 
HDR/sOAKE-HDR actually play no role in the above security analysis. That is, the above secu- 
rity analysis is actually with respect to a (public-key free) variant of OAKE-HDR/sOAKE-HDR, with 
public-keys are removed from the inputs of c,d,e. Recall that, players' public- keys are only used 
for arguing the TBSS property of OAKE-HDR/sOAKE-HDR. Specifically, for any value a G G \ 1g 
and any {mi,mo,A,A,B,B,Xo,Yo), the probability Pr[c7o = ^coj/ox^o*+'^"f« = a] < where 

Co = h{mi, A, A,Yo), do = h{mQ, B, B, Xq), cq = h{XQ,YQ) and the probability is taken over only 
the choice of the random function h. But, as we assume A and B are both uncorrupted players, 
their public-keys are generated independently at random. Also, the value Xq is the given random DH- 
component (not generated by the attacker). To affect the distribution of (Tq, the only freedom of the 
attacker is to maliciously choose (yo) "^0) "^1)) which however does not change the distribution of do. In 
particular, for any value o" € G \ and for any {YQ,mo,mi) chosen maliciously by the attacker w.r.t. 
the fixed {A,A,B,B,Xo), it still holds that Prfuo = cr] < ^j^. 

Security of OAKE-HDR/sOAKE-HDR against the signer itself. The above security analy- 
sis considers the security of OAKE-HDR/sOAKE-HDR against any other uncorrupted players other than 
the signer itself, i.e., the (in)feasibility of outputting a successful forgery (mi, mo, A, A, B, B, Xq, Iq, tq) 
where A is an uncorrupted player and A ^ B. But, the forger may also be against the signer B itself. 
That is, J-" may output a successful forgery of the form: {mi,mo,B,B,B,B,XQ,YQ,ro) (i.e., A = B). 
Here, we further investigate the feasibility of successful forgeries of this form. We distinguish two cases: 
(1) Yq = -^0) i-e., the successful forgery is of the form {mi,mo, B, B , B, B , Xq, Xo,rQ). For this case, 
we show OAKE-HDR and sOAKE-HDR are still secure under the traditional CDH assumption (not 
the stronger GDH assumption) in the RO model; (2) Yq 7^ Xq- For this case, we show OAKE-HDR 
and sOAKE-HDR are secure under the GDH assumption, and additionally the KEA assumption, in the 
RO model. We remark that the KEA assumption is only used to rule out the feasibility of successful 
forgeries in this case of Yq ^ Xq and A = B. 



Building the CDH solver C from the sOAKE-HDR forger J" 
Setup: C does the same as it does for the forger T against OAKE-HDR. 

Signature query simulation: Each time T queries B for a signature on values (Z, Z, m^,m^), C answers 
the query for B as follows (note that C does not know b): 

51. C generates y Gr Z*, Y = and . Again, {y, Y, Z^) can be pre-computed by C and leaked to F prior 

to the session. Then, C responds (y, Y — , Z^) to -F, and stores the vector (Z, Z, 'm^,mj^,y, Y, A^) as 
an "incomplete session" . 

52. presents C with {Z , Z,m^,mg,Y), and a challenge X. 

53. B checks that X G G \ 1g (if not. it aborts) and that (Z, Z, m^, m^, F) is in one of its incomplete 

sessions (if not, it ignores the query). C checks for every value a € G \ Iq previously used by J- as 
input to Hx whether a ~ z^X^^^^, where e = h{rn^,mj^,Z,Z,B,B,X,Y) (in case of undefined e, 
C defines it with the RO h). It does so using the DDH-oracle O, specifically, by checking whether 
CDH{X, B) = {(j/Zyxy^). if the answer is positive, then C sets r to the already determined value of 

S3.1. In any other cases, r is set to be a random value in {0, 1}'', where k is the output length of 
Hk- Note that, in this case, C does not know a — Z'^X^'^'^y, as it does not know b, which also 
implies that C docs not make (actually realize) the RO-query Hk (c) even if the value a has been 
well-defined (with predetermined d and e) and known to J- . 

Finally, C marks the vector {Z , Z,m^,mj^, X,y,Y, Z^) as a complete session^\ stores 
(Z, Z,m2,mj^, X,y,Y, Z'^ , r) and responds (Z, Z,m^,mj^, X^ Y, r) to J-. 

RO queries: C provides random answers to queries to the random oracles h and Hk (made by J^), under 
the limitation that if the same RO-query is presented more than once, C answers it with the same response as 
in the first time. But, for each new query a to Hk, C checks whether a = Z^X^^"^ for any one of the stored 
vectors {Z,Z,m^,mg,X,y,Y,Zy,r) (as before, this check is done using the DDH-oracle). If equality holds 
then the corresponding r is returned as the predefined -ff/f (ct), otherwise a random r is returned. 
Upon J^'s termination. When halts, C checks whether the following conditions hold: 

Fl. T outputs a valid HDR-signature {A, A,mi,mo, Xo,Yo,ro), where A =/= B is an uncorrupted player. In 
particular, it implies that ro should be Hk{i^q), where ctq = A^" ATq^^"'"" , Yq = g^" (chosen by T), and 
eg = h{mi,mo, A, A, B , B , XoYq) . 

F2. (A, ^, TOi, Too, ATq, Iq) did not appear in any of the above responses of the simulated sOAKE-HDR sig- 
natures. 

F3. The value eg = /i(toi, mg, A, A, _B, _B, AToIq) was queried from the RO h, and the value -ffif(o'o) was 
queried from Hk being posterior to the query eg. Otherwise, C aborts. 

If these three conditions hold. C proceeds to the "repeat experiment" below, else it aborts. 
The repeat experiment. C runs F again for a second time, under the same input {B,Xq) and using the 
same coins for F. C rewinds T to the point of making the RO query h{mi,mo, A, A, B, B, XqYq), responds 
back a new independent value Cq Gr, {0, 1}'. All subsequent actions of C (including random answers to 
subsequent RO queries) are independent of the first run. If in this repeated run T outputs a successful forgery 
{A' , A' ,m[,mo, Xo,Yo,r'Q) satisfying the conditions F1-F3 (otherwise, C aborts), which particularly implies 
that r'o = HkK), fTo = A'yo x'^^'^'"'''' , C computes CDH{Xa,Yo)^^ g^^''^ = [{^o/Yo^)/{a'jYo-')](^«-^'or\ 
where a and a' are the private keys of the uncorrupted A and A' (different from B, which are assumed 
to be known to C). Note that {A',A',m[) need not necessarily to equal {A, A, mi). Finally, C computes 
CDH{U,V) = CDH{Xo,B) = ao/((g""«°)'^° ■ Fq")- 

Figure 5: Reduction from GDH to sOAKE-HDR forgeries 



Corollary G.l Under the computational Diffie-Hellman (CDH) assumption, (public-key free) OAKE- 
HDR and sOAKE-HDR signatures of B, with offline pre-computed and exposable (y, Y, A^^), are strongly 
secure in the random oracle model, with respect to the signer B itself with Yq = Xq. 

Proof. This case implies that the forger T can output, with non- negligible probability, a successful 
forgery of the form: {mi,mo,B,B,B,B,Xo,Xo,ro), where tq = i^xK), do = S^oxo j^^ob+eo^o ^ 
CO = h{mi,B,B,Xo), do = h{mo,B,B,Xo), eo = h{Xo,Xo) for OAKE-HDR (for 
sOAKE-HDR, cq = do = 1 and eo = h{mi,mQ,B,B,B,B,XQ,Xo)). Note that from cto and i?'s secret- 
key b, we can compute Xq° . But, as mentioned, the hardness of computing X^ from random X is 
equivalent to that of the CDH problem \42\ I46|. 

With the above observations, we modify the algorithm C depicted in Figure[3]and Figure[5]as follows: 

• C knows (sets) also the private key b for B. By knowing the private key b, C dispenses with the 
DDH-oracle in order to make the answers to RO-queries to be consistent. 

• After T outputs a successful forgery of the form {mi,mo,B,B,B,B,XQ,XQ,rQ), satisfying the 
conditions F1-F3, C simply computes out Xq° from ao and the private-key b. Note that C does 
not need to perform the rewinding experiments at all in this case. 

The analysis show that, in case of successful forgery against the signer itself with Yq = Xq, the 
security not only is based on the weaker hardness assumption (say, the CDH assumption rather than 
the GDH assumption), but also of tighter security reduction (to the underlying hardness assumption, 
say the CDH assumption here). □ 

Now we consider the case of Iq 7^ ^o- As mentioned, it is the only place we need to additionally 
use the KEA assumption. 

Definition G.3 [Know ledge- of- Exponent Assumption (KEA)] Let G be a cyclic group of prime order 
q generated by an element g, and consider algorithms that on input a triple {g, C = g'^, z) output a 
pair (Y, Z) G G^, where c is taken uniformly at random from Z* and z € {0, 1}* is an arbitrary string 
that is generated independently of C . Such an algorithm A is said to be a KEA algorithm if with 
non-negligible probability (over the choice of g,c and A's random coins) A{g,g'^,z) outputs {Y,Z) € 
such that Z = Y'^. Here, G = g^ is the random challenge to the KEA algorithm A, and z captures the 
auxiliary input of A that is independent of the challenge G. 

We say that the KEA assumption holds over G, if for every probabilistic polynomial-time (PPT) 
KEA algorithm A for G there exists another efficient algorithm fC, referred to as the KEA-extractor, 
for which the following property holds except for a negligible probability: let {g,g'^,z) be an input to A 
and p a vector of random coins for A on which A outputs {Y^ Z = Y^), then, on the same inputs and 
random coins, IC{g, G, z, p) outputs the triple {Y, Z = Y'^, y) where Y = g^ . 

Corollary G.2 Under the GDH assumption, and additionally the KEA assumption, (public-key free) 
OAKE-HDR and sOAKE-HDR signatures of 13, with offline pre-computed and exposable {y^Y^A'^^), are 
strongly secure in the random oracle model, with respect to the signer B itself with Yq ^ Xq. 

Proof. The proof of Corollary IG.2I follows the same outline of that of Theorem IG.2[ We highlight the 
main differences, and how the KEA assumption comes into force in the security analysis. The analysis 
is mainly w.r.t. OAKE-HDR (the similar, and actually simpler, hold also for sOAKE-HDR). 

The main difference between the proof of Corollarv IG.2I and that of Theorem I G.2 1 is that, here, the 
forger outputs with non-negligible probability a successful forgery of the form: (mi , mo,B, B, B, B, Xq, 
Yo,ro), where tq = ifx(c7o), ao = B^^y^ X^^''^''^^ cq = /i(mi, S, S, Fq), = h{mo,B,B,Xo), eo = 
/i(Xo,lo)- The key point is that, by performing the rewinding experiments, we cannot directly output 
the GDH(B,Xq), as we do not know the private key b of B (recall that we are going to compute 
GDH{B,Xq) by running the forger J^). Note that in the security analysis of Theorem I G.2 1 we heavily 
relied on the fact that we know the private key of any uncorrupted player other than the signer itself. 



We modify the algorithm C depicted in Figure [3] and Figure [5] as follows: the actions of C remain 
unchanged until the rewinding experiments; C performs the rewinding experiments according to the 
order of the RO-queries cq, do, cq- 

do posterior to co,eo. In this case, by rewinding J" to the point of making the query do = ^("t-o, -S, i?, Xq), 
and redefines h{mQ, B, B, Xq) to be a new independent d'g, C will get a'^ = B^ovo X^''^^''^^ . Then, 
from (To and a^, C gets that CDH{B,Xo) = (fT/(To)(*"''o)~' . Note that, in this case, C does not 
rely on the KEA assumption for breaking the CDH assumption (but still with the DDH-oracle). 

Co posterior to do, eo- In this case, by rewinding F to the point of making the query cq = /i(mi, B, B, Yq), 
and redefines h{mi, B, B,Yq) to be a new independent c'q, C will get a'^ = B'^'oyo X^^'^'^''^^" . Then, 
from <To and cr^, C gets CDH{B,Yq) = B^' = (cr/cr^)(^«-^o)"\ That is, given 5, C can output 
(Yo,By°). By the KEA assumption, it implies that J- knows i/q (which can be derived from the 
internal state of J-). More formally, there exists an algorithm that, given B and Xq and the ran- 
dom coins of C and T can successfully output yo. Now, with the knowledge of yo, CDH{B,Xq) 
can be derived from ao (or a'^). 

eo posterior to co,do. In this case, by rewinding J-" to the point of making the query eo = h{XQ,YQ), 
and redefines /i(Xo,lo) to be a new independent e'g, C will get a'^ = b^'ovo X^''^''^^'' . Then, from 
(70 and o-^, C gets CDH{Xo,Yo) = X^'' = (cr/o-^)(^o-^o)"\ Then, by the KEA assumption, the 
knowledge of yo can be derived, with which CDH{Xq, B) can then be computed from either do 
or ctq. □ 

G.2.1 Extension to Robust (s)OAKE-HDR Signatures 

In this section, we show that the security analysis of (s)OAKE-HDR signatures can be extended to 
robust (s)OAKE-HDR signatures. We first re-describe the robust (s)OAKE-HDR signatures: 

Definition G.4 (robust (s)OAKE-HDR signatures) Let A,B be two parties with public-keys A = 
g"", B = g^, respectively. Let m^, be two messages. The robust (s)OAKE-HDR signatures of B on 
messages {m^,m^,A,A,B,B,X,Y) are defined as a vector of values (the signatures of A are defined 
similarly): 

Robust OAKE-HDR. {A, A,mj^,m^, X,Y, HSLG'^'^^^ {m^,m^, X,Y) = i?/^(^*+2'^X^'^+2^^)}, where 

X = g^ , Y = gy are chosen by A, B respectively as the random challenge and response, x, y Z*, 
c = h{rn^,A,A,Y), d = h{m^,B,B,X) and e = h{X,Y). 

Robust sOAKE-HDR. {A, A, m^, m^,X, Y, HSLGf^^^{m^, m^, X, Y) = HKiA^^yX'^'^+y'')}, where 
c = d = 1, e = h{m^,m^, A, A, B, B, X,Y). 

For the security analysis of the robust (s)OAKE variant, the exposed values A'^y and B'^^ for (s)OAKE 
are changed to be A'^'^^y and B°'~^'^^ . 

Security analysis extension for the case oi A ^ B. We note that the proof of Theorem IG.2I 
can be straightforwardly extended to robust (s)OAKE-HDR signatures, by the following observations: 

• In Step S3 and for answering RO queries, to ensure the consistency of RO queries with each a 
previously queried by T to the RO Hk, the challenger C checks whether a = Z^'^'^y X^'^'^y'^ by 
checking whether CDH{B,X'^Z) = a/Z'^yxy' = Z^X'^^ = {X'^Zf via its DDH oracle. 

• The repeat experiments can still go through because that: B ^ A, A is an. uncorrupted player 
and the challenger knows the secret-key a. Thus the value J^^'^y = [BY'^)'^ can be removed from 
cr. 



Security analysis extension for the case of A = B and X = Y. The security analysis of robust 
(s)OAKE-HDR signatures for this case is essentially the same as in the analysis of Corollarv lG.il 

Security analysis extension for the case of A = B and X ^ Y. The key differences, in 
comparison with the proof of Corollary IG.21 are that: 

• For robust OAKE-HDR signature, the output of the challenger C during the rewinding experiments 
is CDH{B, Xq) for the case of do posterior to cq, cq, and is CDH{X^B, B) = X^'^'' B^ in the rest 
two cases. 

• For robust sOAKE-HDR signature, as c = d = 1, the output of the challenger C during the 
rewinding experiments is always CDH{Xq°B,B) = X^f^B''. 

But, either case contradicts the CDH assumption, by the following proposition: 

Proposition G.2 Given random elements B = g^,X = g^^G \ 1g, where h,x are taken indepen- 
dently at random from Z*, the hardness of computing CDH{B,X) is equivalent to that of computing 
CDH{X'^B,B) = [X'^Bf, where d = h{B,B,X). 

Proof (of Proposition IC.2| ). First recall that the hardness of computing B^ from random B = g^ is 
equivalent to that of the CDH problem [42\ I46j . Thus, the ability of computing CDH{B,X) (given 
{B,X)) is equivalent to the ability of computing B^ (given B only), which then implies the ability of 
computing CDH{X'^B,B) = X^'^B^. 

Suppose there exists an efficient algorithm A that can compute CDH{X'^, B) = X'^^B^ (from B and 
X) with non-negligible probability, then there exists another efficient algorithm B that can breaks the 
CDH assumption with also non- negligible probability. The input of S is a random element B £ G\1g, 
and its goal is to break the CDH assumption by computing CDH{B, B) = B^. Towards this goal, B 
generates X = g^ where x is taken uniformly at random from Z*, and then runs A on input (S, X). After 
getting CDH{X'^B) = X'^''B^ = B^'^B'' from the output of i, B computes B^ = GDH{X'^B,B)/B'"^. 

According to the above discussions, given random elements {B,X), under the CDH assumption no 
efficient algorithm can compute either GHD{B, X) or GDH{X'^B, B) with non-negligible probability. 
□ 

In addition, in view of the fact that c = d = 1 for robust sOAKE-HDR signature, there is another 
analysis method for robust sOAKE-HDR signature. Specifically, given random elements U, V, the 
challenger C sets (in the Setup procedure) that: B = V and Xq = (U/B) (rather than Xq = U). Note 
that, in this case, the output of the challenger C during the rewinding experiments is CDH[Xq°B, B) = 
X^B^ = ^B^ = U^ = CDH{U, B), which directly violates the CDH assumption. 

G.3 Analysis of (s)OAKE with Offline Pre-Computation in the CK-Pramework 

Brief description of the CK-framework. In the CK-framework for a DHKE protocol, a CMIM 
adversary A controls all the communication channels among concurrent session runs of the KE protocol. 
In addition, A is allowed access to secret information via the following three types of queries: (1) 
state-reveal queries for ongoing incomplete sessions; (2) session-key queries for completed sessions; (3) 
corruption queries upon which all information in the memory of the corrupted parties will be leaked to 
A. A session {A, B, X, Y) is called exposed, if it or its matching session (B, A, Y, X) suffers from any of 
these three queries. 

The session-key security (SK-security) within the CK-framework is captured as follows: for any 
complete session {A, B, X, Y) adaptively selected by A, referred to as the test session, as long as it is 
unexposed it holds with overwhelming probability that (1) the session-key outputs of the test session 
and its matching session are identical; (2) A cannot distinguish the session-key output of the test session 
from a random value. At a high level, the SK-security essentially says that a party that completes a 
session has the following guarantees [U]: (1) if the peer to the session is uncorrupted then the session- 
key is unknown to anyone except this peer; (2) if the unexposed peer completes a matching session then 
the two parties have the same shared key. 



Next, we present the analysis of OAKE and sOAKE protocols in the CK-framework with pre- 
specified peers, with offline pre-computed and exposable DH-exponents, DH-components, and DH-secrets 
derived from one's DH-component and its peer's public-key (say, A'^'^ and B'^^) which may be exposed 
to the adversary prior to the session involving these pre-computed values. The analysis can also be 
straightforwardly extended to that of the robust (s)OAKE variant, where the exposed value A'^^ and 
j^dx g^j^g changed to be A^'^'^^ and B°'~^'^^. 

Using the terminology of HDR signatures, a session of OAKE (resp., sOAKE), for the basic protocol 
version without explicit mutual identifications and key confirmations, between two parties A and B con- 
sists of a basic Diffie-Hellman exchange of DH-components X = and Y = g^; And the session- key K 
is then computed as the corresponding HDR-signatures, specifically, K = HSIG^^^{'m^,m^, X,Y) 

for OAKE and (resp., K = HSIGf^^^{mj^,m^,X, Y) for sOAKE), where and are the empty 
string for both OAKE and sOAKE. 

During a session of (s)OAKE within the CK-framework, with offline pre-computation, a party can be 
activated with three types of activations (for presentation simplicity, we assume A denotes the identity 
of the party being activated and B the identity of the intended peer to the session): 

Initiate{A, B) (i.e., A is activated as the initiator): A generates a value X = g^, x €r Z*, creates a 
local session of the protocol which it identifies as (the incomplete) session {A,B,X), and outputs 
the DH-component X as its outgoing message. 

Here {X, x, S"'^'), where d = h{B, B, X) for OAKE or d = 1 for sOAKE can be offline pre-computed 
by A, which may be exposed to the adversary prior to the session involving them. 

Respond{A, B ,Y) (i.e., A is activated as the responder): A checks Y & G \ Iq, if so it generates a 
value X = g^, x €r Z*, outputs X, computes the session-key and then completes the session 
iA,B,X,Y). 

Again, {X, x, B'^^) can be offline pre-computed by A, which may be exposed to the adversary prior 
to the session involving them. 

Complete{A, B, X,Y) (i.e., the initiator A receives Y from the responder peer B): A checks that 
y € G \ Ic and that it has an open session with identifier {A,B,X). If any of these conditions 
fails A ignores the activation, otherwise it computes the session-key and completes the session 
{A,B,X,Y). 

With the above notation, it is ensured that if {A, B,X,Y) is a complete session at A, then its 
matching session (if it exists) is unique, which is {B,A,Y,X) owned by the player B. In the following 
analysis, we specify that the values, exposable to the adversary via session-state query (against an 
incomplete session), include the DH-component and DH-exponent and the DH-secret of one's DH- 
component and its peer's public-key, e.g., {Y,y,A'^y). 

Theorem G.3 Under the GDH assumption in the RO model, the OAKE and sOAKE protocols (ac- 
tually, the variants with public-keys removed from the inputs of c,d,e), with offline pre-computed DH- 
components, DH-exponents, and the DH-secrets of one's DH-component and its peer's public-key (say 
A'^y and B"^^ ), are SK-secure in the CK-framework w.r.t. any test-session between a pair of different 
players. 

Proof. According to the SK-security definition in the CK-framework, we need to prove OAKE and 
sOAKE satisfy the following two requirements: 

Requirement- 1. If two parties A, B complete matching sessions, then their session-keys are the same. 

Requirement-2. Under the GDH assumption, there is no feasible adversary that succeeds in distin- 
guishing the session-key of an unexposed session with non-negligible probability. 



The Requirement-1 can be trivially checked for both OAKE and sOAKE. In the following, we focus 
on establishing the Requirement-2. 

Denote by {A,B,Xq,Yq) the unexposed test-session between a pair of uncorrupted players A and 
B where A ^ B, and by Hk{v) the session- key of the test-session that is referred to as the test HDR- 
signature, where v = A^yX'^^'^'^^ = ^f^^i^yca+ex^ random oracle, there are only two strategies 

for the adversary to distinguish Hk{v) from a random value: 

Key-replication attack. ^ succeeds in forcing the establishment of a session (other than the test- 
session or its matching session) that has the same session-key output as the test-session. In this 
case, ^ can learn the test-session key by simply querying the session to get the same key (without 
having to learn the value of the test HDR-signature) . 

Forging attack. At some point in its run, £/ queries the RO Hk with the value v. This implies that 

succeeds in computing or learning the test HDR-signature (i.e., the session- key of the test-session) 
via its attacks. For presentation simplicity, we assume £/ directly outputs the session-key of the 
test-session, referred to as the test-signature, via a successful forging attack. 

The possibility of key-replication attack is trivially ruled out unconditionally in the RO model, by the 
NMJPOK and TBSS property of OAKE and sOAKE. Specifically, for any session-tag (i. A, B, B, X, Y) 
and for any value o" € G \ Iq, the probability Pr[A'^ = = cr] < ^rz^ holds for both OAKE and 
sOAKE, where the probability is taken over only the choice of the random function h. Then, by the 
birthday paradox (as done in the previous NMJPOK and computational fairness analysis), any efficient 
attacker can succeed in the key-replication attack only with negligible probability. Actually, as the 
test-session and its matching session are defined without taking public-keys into account in the CK- 
framework, the possibility of key-replication attack is trivially ruled out unconditionally in the RO model 
also for the public-key free variant of (s)OAKE. Specifically, for any test-session {A,B,X,Y) and any 
session (A' , B' ,X' ,Y') that is unmatched to the test-session (which implies that at least of the following 
inequalities holds: A ^ A' , B ^ B' , X X' and Y / Y'), it holds that Pr[iC^ = Kj^,\ = As 
the attacker is polynomial-time, it cannot make two unmatched sessions to output the same session-key 
with non-negligible probability. 

Note on security reduction tightness. We note that, however, the analysis of HMQV to rule 
out key-replication attack in [37| is quite complicated, and is still reduced to the underlying hardness 
assumptions (to be precise, to the unforgeability of HMQV-HDR). That is, the analysis of (s)OAKE 
in order to rule out the key-replication attacks is not only much simpler, but also does not go through 
costly security reductions. Also, as we shall see, sOAKE is at least as tight as HMQV in other parts of 
the security analysis. We did not try to make a direct comparison on the security reduction tightness 
between OAKE and HMQV, as they use different forking lemma. 

Then, in the following analysis, we only focus on ruling out the forging attack. Recall that A ^ B 
for the test-session {A,B,Xq,Yq) held by A. In the rest, we make analysis mainly with respect to the 
OAKE protocol, the similar and actually simpler hold also for sOAKE. 

Now, suppose there is an efficient KE-attacker £^ who succeeds, by forging attacks, against the 
test-session [A,B,Xq,Yq) with A ^ 13 (particularly, A ^ B), we present an efficient forger T against 
the underlying OAKE-HDR signature, which contradicts the security of the underlying OAKE-HDR 
signature scheme (that is based on the GDH assumption), and thus establishing the theorem. works 
as follows, by running £/ as a subroutine. 

1. We assume T successfully guessed the unexposed test-session {A,B,Xq,Yq) held at A, where 
A^B. 

2. The inputs of J-" are {B,Xq), and J- has oracle access to the OAKE-HDR signer B of public-key 
B. 

3. J-" sets the inputs to all parties other than B, and thus can perfectly emulate these parties. In 
particular, T can deal with state-reveal queries, session-key queries by j^/ on any session other 



than the test-session and its matching session, and party corruption queries on any party other 
than A and B. 

4. When £/ activates a session at B, either as a responder or initiator, with peer identity P of 
pubhc-key P and incoming message X, then T feeds B the value {P,P,X). In response, J- gets 
values {y,Y,P'^^) from B, and then J-" hands ^ the value Y as the outgoing message from B. 
Actually, the values {y,Y,P'^y) can be offline pre-computed by B, and leaked to J- (and £/) prior 
to the session involving them. 

5. When ^ issues a state-reveal query against an incomplete session {B, P, Y) {not matching to the 
test-session) held at B, then returns the values {Y, y, P'^v) to =e/. 

6. When issues a session-key query to a session [B^P^Y^X) {not matching to the test-session) 
held at B, then T queries the session-signature from its signing oracle B by presenting the signing 
oracle with (P, P, X, Y), and returns the HDR-signature from B to =e/. 

7. When jz/ halts with a valid test-signature, denoted ctq, T stops and outputs o"o- 

Suppose there are n parties in total in the system, and each party is activated at most m times (where 
n and m are polynomials in the security parameter), in actual analysis J- guesses the test-session by 
choosing uniformly at random a triple {Pi,Pj,t) (hoping that Pi = A and Pj = B and the test-session 
is the t-th session activated at A with peer i?), where 1 < i ^ j < n and \ < t < m. Thus, with 
probability (n^m)~^, F successfully guesses the test-session. It is easy to check that, conditioned on F 
successfully checks the test-session, the view of £^ under the run of J- is identical to that in the real run 
of =e/. Suppose successfully outputs, with non-negligible probability e, the valid test-signature via 
forging attack in its real run, with still non-negligible probability {n'^m)~^e £/ (and thus J-) outputs 
the valid test-signature under the run of J-". 

We need then to check whether the valid test HDR-signature outputted by is a successful OAKE- 
HDR forgery. As the test-signature output by .s/ is valid, according to Definition 15.21 we only need to 
show the vector {A, A, Xo,yo} did not appear in any one of the responses from the signing oracle B. 
We distinguish three cases, according to the appearance of Yq: 

Case-1. Yq was never output in any one of the signatures issued by B. In this case, the test HDR- 
signature output by £/ (and thus J-) is clearly a successful forgery against OAKE-HDR. 

Case-2. Yq was output in one of the signatures issued by B in a session non-matching to the test- 
session. Denote by {B,P,Yq,X) this non-matching session, we have that P ^ A or X ^ Xq. 
That is, {P,P,X) ^ {A^ A^Xq). As B uses random and independent DH-components in each 
session, the value Yq is only used in this non-matching session (i?,P, YojX), and thus does not 
appear (except for a negligible probability of accidental repetition) in any other signatures issued 
by B in other sessions different from (i?, P, Yq, X). Putting all together, we get that {j4, j4, Xq, 1^0} 
did not appear in any of the HDR-signatures issued by -B, and thus the test HDR-signature output 
by J-" is a successful forgery against OAKE-HDR. 

Case-3. Yq was generated by B in the matching session (i?, ^, Yq, Xq). However, this matching session 
was never queried by si via session-key query or session-state query (recall we assume the test- 
session and its matching session are unexposed in the CK-framework) , which in turn implies that 
T never queries B for the HDR-signature of this matching session. Also, the random value Yq 
was used by B only for this matching session (except for a negligible probability of accidental 
repetition). This implies that, in Case-3, the values {yl, ^4, Xq, Yq} ^-Iso did not appear in any one 
of the responses from the signing oracle i?, and thus the test HDR-signature output by is a 
successful forgery against OAKE-HDR. □ 

Notes on the security analysis of (s)OAKE in the CK-framework. For the above security 
analysis of (s)OAKE in the CK-framework, we have the following observations and notes: 



• For the same security level (actually, whenever the DH-component is offline pre-computed and 
exposable, no matter whether the secret DH-exponent is exposable or not), the security of HMQV 
in the CK- framework relies on both the GDH assumption and the KEA assumption. In contrast, 
for the security of (s)OAKE even with the additional powerful exposure of DH-exponents and A'^'^ 
or B'^^, the KEA assumption is dispensed with. 

• The security reduction (from the security of sOAKE to the security of the underlying HDR sig- 
natures) is tighter than that of HMQV. 

We remind problems with security reduction in the random oracle model \12\ H8l [52l I13| . Here, 
we only aimed to highlight the relative advantage of reduction tightness of sOAKE over HMQV, 
as both HMQV and (s)OAKE are proved in the random oracle model. 

• Note that the above security analysis is actually w.r.t. the public-key free variants of (s)OAKE, 
with players' public-keys removed from the inputs of the functions of c, d, e. The reason is that 
the security of the underlying OAKE-HDR/sOAKE-HDR signatures does not rely on them. 

• The analysis shows that OAKE and sOAKE remain their security in the CK-framework, even if 
the attacker £/ exposes the private values {y, A^^) of the matching session (but not the session- key 
itself). This provides extra security guarantee of (s)OAKE that is beyond the CK-framework. The 
reason is that, even if these pre-computed private values are used by B in the matching session 
{B, A, Yq,Xq) and exposed to the forger F never queries the full HDR-signature corresponding 
to this matching session as the underlying attacker is not allowed to make the session-key query 
against the matching session (note that queries the HDR signer for a full session-signature only 
when =2/ makes the session-key query against this session), and thus {A,A,Xq,Yq) still did not 
appear in any one of the signatures issued by B. 

Using Corollary IG.ll and Corollary IG.21 we have the following corollaries about the security of 
(s)OAKE in the CK-framework w.r.t. any test-session between the identical players A = B. The proofs 
are straightforward adaptations of the proof of Theorem 10.3^ and details are omitted here. 

Corollary G.3 Under the CDH assumption in the RO model, the OAKE and sOAKE protocols (ac- 
tually, the variants with public-keys removed from the inputs of c,d,e), with offline pre-computed and 
exposable DH-components, DH-exponents, and the DH-secrets of one's DH-component and its peer's 
public-key (say A'^^ and B'^^), are SK-secure in the CK-framework w.r.t. any test-session of identical 
peer and identical DH-component (i.e., A = B and X = Y). 

Corollary G.4 Under the GDH assumption and additionally the KEA assumption in the RO model, 
the OAKE and sOAKE protocols (actually, the variants with public-keys removed from the inputs of 
c,d,e), with offline pre-computed and exposable DH-components, DH-exponents, and the DH-secrets of 
one's DH-component and its peer's public-key (say A^^ and B'^^), are SK-secure in the CK-framework 
w.r.t. any test-session of identical peer but different DH-components (i.e., A = B but X ^Y). 

Notes on some inherent security limitations. The reader should beware of some inherent 
security limitations for any one-round and two-round implicitly-authenticated DHKE protocols, e.g., 
the PES vulnerability for any two-round implicitly-authenticated DHKE and the KCI vulnerability for 
any one-round DHKE (more details are referred to [37]). Even for the three-round version of OAKE 
(as well as HMQV) with explicit mutual authentications, there are also some inherent limitations. For 
example, the protocol responder may not be able to get deniability in a fair way, in case the malicious 
protocol initiator just aborts after receiving the second-round message; Also, both the three-round 
OAKE and (H)MQV suffer from the cutting-last-message attack [41], etc. We remark that losing 
deniability fairness to protocol responder and lacking correct delivery guarantee of the last message 
are inherent to the protocol structure of OAKE and (H)MQV and do not violate the definition of the 
SK-security in the CK-framework, which though can be easily remedied but at the price of ruining the 
performance advantages and/or adding additional system complexity. 



H Security of (s)OAKE Beyond the CK- framework 



Following Section 14.21 in this section we make some further investigations on the security properties of 
(s)OAKE not captured by the CK- framework, which further strengthens the security guarantee of the 
(s)OAKE protocols. The first observation is: the security analysis of (s)OAKE in the CK-framework 
also implies that (s)OAKE is resistant to reflection attacks. 

H.l Security with Public Computations 

The work of [39] considers a new attack scenario for key-exchange protocols with public computations, 
where it is convenient to split an entity (performing a run of KE-protocol) into two parts: a trusted 
authentication device, and an untrusted computing device. The authentication device enforces the 
confidentiality of the authentication data, while some computing operations required by the protocol are 
publicly carried out by the (possibly untrusted) computing device. This allows to use an authentication 
device with little computing power, and to make computing devices independent from users |39j . 

The work [39] gives some concrete applications that might be benefited from public computations: 
(1) Mobile phones include smart cards which store the user authentication data; the handsets themselves 
are the computing devices. (2) PCs (corresponding to the computing device) equipped with a crypto 
token (corresponding to the authentication device) have a lot more computing power than the token 
itself, but may be plagued by spyware or virus. For more details, the reader is referred to [39]. 

(H)MQV with pubhc computations. With the computation of B as an example (the same holds 
for A), a natural split of authentication computation and public computation is as follows [39]: The 
authentication device generates (y, Y), forwards Y to the computation device; After getting (A, X) from 
the computation device, the authentication device computes s = y + eb, where e = h{Y,A), and then 
forwards s to the computation device; After getting s from the authentication device, the computation 
device computes = [XA'^)^, and then the session-key, and then communicate with A with the 
session-key. 

One key point is: as we assume the computation device may not be trustful, once the value s is 
leaked to an attacker (who may compromise the computation device), then the attacker can definitely 
impersonate 13 to A in any sessions. Note that, by only compromising the computation device, the 
attacker does not learn the DH-exponent y and the private-key b. This shows that (H)MQV does not 
well support deployment in the public computation model. 

(s)OAKE with pubhc computations. For applications in such scenarios, the natural split of 
authentication computation and public computation for (s)OAKE is as follows, with the computation of 
B as an example (the similar hold for A): (1) The authentication device generates {y,Y) and possibly 
A^y (in case the authentication device has learnt the peer identity A) where c = 1 for sOAKE or 
c = h{A, A, Y) for OAKE, and then forwards Y and possibly A^^ to the computation device; (2) 
After getting X from the computation device, the authentication device computes s = db + ey, where 
d = h{B,B,Y) and e = h{X,Y) for OAKE (resp., d = 1 and e = h{A,A,B,B,X,Y) for sOAKE), 
and then forwards s to the computation device; (3) After getting s from the authentication device, 
the computation device computes = A^^X^, and then the session- key, and then communicate with 
A with the session-key. Note that y,Y,c,d,A'^y,db can be offline pre-computed by the authentication 
device, and the authentication device can only online compute ey and s. Also, the computation device 
essentially needs to compute only one exponentiation X^ . 

Below, we make some discussions about the security of sOAKE and OAKE in the public computation 
modelJl 

Discussion on security of sOAKE with public computations. We note that, under the DLP 
assumption, the knowledge of {A^ , s) of a session of sOAKE, learnt by the adversary by compromising 
the computation device, is essentially useless for the attacker to violate other sessions other than the 

''We note that some modifications to (s)OAKE may be needed to give a formal proof in the public computation model, 
in accordance with the work of [S^- Here, we stress that (s)OAKE, particularly sOAKE, very well supports the public- 
computation model even without such modifications. 



matching session {B, A, Y, X). The reason is that s = b + ey for sOAKE, where e = h{A, A, B, B, X, Y) 
commits to the whole session-tag. Thus, the value s cannot be used by the attacker to violate a non- 
matching session, unless it can compute y from A^ (and thus b from s) which however is infeasible by 
the DLP assumption. 

Discussion on security of OAKE with public computations. The knowledge {A'^^, s) of a ses- 
sion of OAKE, where s = db + ey, d = h{B, B, Y) and e = h{X, Y), is essentially useless under the DLP 
assumption for the attacker to violate other sessions other than sessions of the tag {A* ,A* , B, B, X, Y) 
where {A*, A*) may be different from (A, A). As the DH-component X is generated by uncorrupted 
players randomly and independently, it implies that the knowledge of {A'^^ , s) can only help the attacker 
to violate the security of at most one unexposed non-matching session. 

For example, consider that the attacker interacts concurrently with A (in the name of B) and B (in 
the name oi A* ^ A but of the same public- key A); the attacker faithfully relays the DH-components 
X and Y in the two sessions; in case the attacker learns both s and the private-key a of A, then it can 
impersonate i? to A in the unique session in which A sends X. 

We remark this weakness is at the price of supporting the advantageous post-ID computability 
offered by OAKE. Though this weakness can be trivially remedied (by putting A into d and B into 
c), but at the price of sacrificing the advantage of post-ID computability. Even with this (seemingly 
unreasonable) weakness in the public computation model for OAKE in mind, the potential damage 
caused is still much mitigated in comparison with that of (H)MQV in such scenarios. 

H.2 Resistance to KCI, and Weak PFS 

Recall that the security of DHKE protocols in the CK-framework is w.r.t. an unexposed test-session 
{A, 13, Xq,Yq), where A and 13 are uncorrupted parties (which implies both the private- keys a, b are not 
exposed to the attacker) but the value Yq may be generated by the attacker impersonating 13 (in this 
case, the matching session does not exist). In this section, we consider the security damage caused by 
compromising static secret-keys of players, i.e., one or both of the secret-keys a, b of the test-session are 
exposed to the attacker. 

Firstly, we note that if both the peer B (in the test-session) is corrupted and the value Yq is 
generated by the attacker itself, then no security can be guaranteed for the test-session within the 
CK-framework (as the attacker can now compute the session- key by itself). In this section, we mainly 
investigate the resistance against key-compromise impersonation (KCI) attacks, and perfect forward 
security (PFS). Roughly speaking, a key-compromise impersonation attack is deemed successful if the 
attacker, knowing the private key a of a party A (which of course allows the attacker to impersonate A), 
is able to impersonate another different uncorrupted party 13 ^ A (for which the attacker does not know 
the secret-key b) to A. Note that for KCI attacks, the attacker still can generate the DH-component 
Yq for the test-session (without the matching session then). The PFS property says that the leakage of 
the static secret-key of a party should not compromise the security of session-keys ever established by 
that party, and erased from memory before the leakage occurred. 

Definition H.l (clean session [37j ) We say that a complete session of a key-exchange protocol is 
clean, if the attacker did not have access to the session's state at the time of session establishment (i.e., 
before the session is complete), nor it issued a session-key query against the session after completion. 

Note that, for a clean session at an uncorrupted party, the attacker did not issue a state-reveal query 
while the session was incomplete or a session-key query after completion; Moreover, the attacker was 
not actively controlling or impersonating the party during the session establishment (neither by making 
any choices on behalf of that party in that session or eavesdropping into the session's state). 

Definition H.2 jSTJ^ We say that a KE-attacker that has learned the static secret-key of A succeeds 
in a KCI attack against A, if is able to distinguish from random the session-key of a complete session 
at A for which the session peer B ^ A is uncorrupted (which implies the private-key of B is not exposed 
to ) and the session and its matching session (if it exists) are clean. 



In other words, the definition says that, as long as the attacker is not actively controlling or ob- 
serving the secret choices (particularly the ephemeral DH-exponent x) of the test-session, then even the 
knowledge of ^'s private-key still does not allow a/ to compromise the session-key. In particular, in 
such a protocol £/ cannot impersonate an uncorrupted party to A in a way that allows £/ to learn 
any information about the resultant session-key j37j (even if the attacker impersonates B and generates 
the DH-component, say Yq, by itself). 

Proposition H.l Under the GDH assumption in the random oracle model, the OAKE and sOAKE 

protocols (actually, their public-key free variants), with offline pre- computation, resist KCI attacks in 
the CK-framework. 

The resistance of (s)OAKE to KCI attacks is essentially implied by the proof of Theorem IG.2I and 
the proof of Theorem IG.31 from the observations that: for KCI attacks the test-session is of different 
uncorrupted peers A ^ B, and the security of the underlying OAKE-HDR/sOAKE-HDR hold even if 
the forger learns the private- key of the uncorrupted peer (the party A here). 

Weak PFS (wPFS). It is clarified in j37j that, no 2-round DHKE protocols with implicit key 
confirmation can fully render PFS security (the 3- round versions of HMQV and (s)OAKE, with explicit 
key-confirmation and mutual authentications, do fully provide PFS property). The work j37j formulates 
a weak notion of PFS, named weak PFS (wPFS), and shows that HMQV satisfies this wPFS property. 
Roughly speaking, wPFS property says that if the attacker is not actively involved with the choices of 
X,Y at a session (particularly if it does not get to choose or learn the DH-exponent x oi y), then the 
resultant session-key does enjoy forward security. Formally, 

Definition H.3 fg?) / A key-exchange protocol provides wPFS, if an attacker cannot distinguish from 
random the key of any clean session {A,I3,X,Y), where Y is also generated by an uncorrupted party in 
a clean session, even if has learned the private keys of both A and B. 

Proposition H.2 Under the CDH assumption (rather than the stronger GDH assumption) , the OAKE 
and sOAKE protocols provide wPFS property in the random oracle model. 

For establishing the wPFS property for (s)OAKE, we do not need here to construct a OAKE- 
HDR/sOAKE-HDR forger from the attacker violating the wPFS property. Actually, we can directly 
reduce the loss of wPFS to the CDH assumption, from the following observations: given the knowledge 
of both a and 6, the computation of Kj^ or is reduced to the computation of g^^^ from the random 
DH-components X, Y. Recall that, for wPFS property, we assume the attacker is not actively involved 
with the choices of X, Y. Then, we can simply guess the test-session, and set the DH-components as 
some random elements X, Y, and then reduce the ability of the attacker to violate wPFS directly to the 
CDH assumption. More details are omitted here. 



